Win32/Spy.Shiz [Threat Name] go to Threat

Win32/Spy.Shiz.NCU [Threat Variant Name]

Category trojan
Size 441856 B
Detection created Apr 29, 2016
Detection database version 13411
Aliases Win32/Dynamer!ac (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • %commonappdata%\­%variable%.exe

A string with variable content is used instead of %variable% .

In order to be executed on every system start, the trojan creates the following file:

  • %startup%\­Common.js
Information stealing

The trojan collects the following information:

  • user name
  • computer name
  • information about the operating system and system settings
  • login user names for certain applications/services
  • login passwords for certain applications/services
  • list of running processes
  • installed antivirus software
  • logged keystrokes
  • screenshots
  • data from the clipboard
  • Bitcoin wallet contents
  • Litecoin wallet contents
  • digital certificates

The trojan collects sensitive information when the user browses certain web sites.

The trojan is able to log keystrokes.

The trojan attempts to send gathered information to a remote machine.

Other information

The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows]
    • "%variable%" = %binvalue%

A string with variable content is used instead of %variable% .

The trojan performs no action if any of the following applications is detected:

  • Avast Antivirus
  • Sandboxie

Trojan can detect presence of virtual environments and sandboxes.

The trojan can detect presence of debuggers and other analytical tools.

The trojan quits immediately if it is run within a debugger.

The trojan quits immediately if any of the following folders/files is detected:

  • c:\­sample\­pos.exe
  • \­\­.\­NPF_NdisWanIp
  • c:\­analysis\­sandboxstarter.exe
  • c:\­analysis
  • c:\­insidetm
  • c:\­windows\­system32\­drivers\­vmmouse.sys
  • c:\­windows\­system32\­drivers\­vmhgfs.sys
  • c:\­windows\­system32\­drivers\­vboxmouse.sys
  • c:\­iDEFENSE
  • c:\­popupkiller.exe
  • c:\­tools\­execute.exe

The trojan quits immediately if the computer name is one of the following:


The trojan quits immediately if the user name is one of the following:


The trojan sleeps for certain period of time if it detects a running process containing one of the following strings in its name:

  • apispy.exe
  • autoruns.exe
  • autorunsc.exe
  • dumpcap.exe
  • emul.exe
  • fortitracer.exe
  • hookanaapp.exe
  • hookexplorer.exe
  • idag.exe
  • idaq.exe
  • importrec.exe
  • imul.exe
  • joeboxcontrol.exe
  • joeboxserver.exe
  • multi_pot.exe
  • ollydbg.exe
  • peid.exe
  • petools.exe
  • proc_analyzer.exe
  • procexp.exe
  • procexp.exe
  • procmon.exe
  • regmon.exe
  • scktool.exe
  • sniff_hit.exe
  • sysanalyzer.exe
  • vboxservice.exe
  • vboxtray.exe
  • vmsrvc.exe
  • vmtoolsd.exe
  • vmusrvc.exe
  • vmwaretray.exe
  • vmwareuser.exe
  • wireshark.exe
  • xenservice.exe

The trojan may create and run a new thread with its own program code within any running process.

It uses techniques common for rootkits.

The trojan hooks the following Windows APIs:

  • _write (msvcr90.dll)
  • CertVerifyCertificateChainPolicy (crypt32.dll)
  • CertGetCertificateChain (crypt32.dll)
  • connect (ws_32.dll)
  • ConnectEx (mswsock.dll)
  • CPExportKey (rsaenh.dll)
  • getaddrinfo (ws_32.dll)
  • GetAddrInfoExW (ws_32.dll)
  • GetClipboardData (user32.dll)
  • gethostbyname (ws_32.dll)
  • GetMessageA (user32.dll)
  • GetMessageW (user32.dll)
  • I_CryptUIProtect (cryptui.dll)
  • PFXImportCertStore (crypt32.dll)
  • send (ws2_32.dll)
  • SSL_AuthCertificateHook (nspr4.dll, nss3.dll)
  • TranslateMessage (user32.dll)
  • URLDownloadToCacheFileW (urlmon.dll)
  • UrlDownloadToFileW (urlmon.dll)
  • WSASend (ws2_32.dll)
  • zend_compile_file (php5ts.dll)
  • ZwQuerySystemInformation (ntdll.dll)

The trojan checks for Internet connectivity by trying to connect to the following addresses:


The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a URL address. The HTTP protocol is used.

It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • send gathered information
  • delete cookies
  • make operating system unbootable
  • redirect network traffic

The following programs are terminated:

  • autoit3.exe

The trojan may delete the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "DisableCurrentUserRun"

Please enable Javascript to ensure correct displaying of this content and refresh this page.