Send us feedback
We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Win32/Dyzap
Aliases: Dyze (other) Dyreza (other)
Summary
Windows Defender detects and removes this threat.
This threat can steal your personal information, such as your user names and passwords. It sends the stolen information to a malicious hacker.
Use the following free Microsoft software to detect and remove this threat:
- Microsoft Defender Antivirus for Windows 10 and Windows 8.1, or Microsoft Security Essentials for Windows 7 and Windows Vista
- Microsoft Safety Scanner
You should also run a full scan. A full scan might find hidden malware.
Protect your sensitive information
This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:
You should change your passwords after you've removed this threat:
Use cloud protection
The Microsoft Active Protection Service (MAPS) uses cloud protection to help guard against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Windows Defender for Windows 10.
Get more help
You can also see our advanced troubleshooting page for more help.
If you’re using Windows XP, see our Windows XP end of support page.
Threat behavior
Installation
This trojan is usually distributed via spam or exploits.
In the wild, we've seen this trojan being downloaded by TrojanDownloader/Upatre.
The threat copies itself to %APPDATA%\local\[random aplha numeric characters].exe (for example: %APPDATA%\local\ogTcCwihjpelfmm.exe).
It makes the following changes to the registry to ensure that it runs each time you start your PC:
In subkey: HKLM\SYSTEM\CurrentControlSet\
Sets value: Services\googleupdate
With data: "%Windows%\[random file name].exe"
In subkey: HKLM\SYSTEM\CurrentControlSet\
Sets value: Services\googleupdate
With data: "Google Update Service"
In subkey: HKCU\Software\Microsoft\
Sets value: Windows\CurrentVersion\Run
With data: "%AppDataLocal%\[random file name].exe"
The trojan tries to connect to the following websites to check if your PC is connected to the internet:
- google.com
- microsoft.com
Payload
Steals online banking information
This threat uses the "Man In The Browser" technique to steal online banking user names and passwords.
When you visit an online banking website that the trojan targets, it attempts to steal your banking user names and passwords and send the stolen information to a malicious hacker.
It monitors the following web browsers to intercept banking transactions so it can send your stolen credentials to a malicious hacker:
- Google Chrome
- Internet Explorer
- Mozilla Firefox
- Microsoft Edge
It monitors the following online banking websites:
|
|
Steals information
The trojan also collects the following information about your PC and sends it to a malicious hacker:
- Your PC name
- Your user name
- Your operating system
- The 32-character generated key unique to your PC for identification purposes
- Your IP address
The trojan tries to either connect to "icanhazip.com", or connect to one of the following websites to find out what the public IP address is:
- 203.183.172.196:3478
- numb.viagenie.ca
- s1.taraba.nets2.taraba.net
- stun.2talk.co.nz
- stun.callwithus.com
- stun.ekiga.net
- stun.faktortel.com.au
- stun.ideasip.com
- stun.internetcalls.com
- stun.ipshka.com
- stun.iptel.org
- stun.l.google.com:19302
- stun.noc.ams-ix.net
- stun.phonepower.com
- stun.rixtelecom.se
- stun.schlund.de
- stun.sipgate.net
- stun.stunprotocol.org
- stun.voip.aebc.com
- stun.voiparound.com
- stun.voipbuster.com
- stun.voipstunt.com
- stun.voxgratia.org
- stun1.l.google.com:19302
- stun1.voiceeclipse.net
- stun2.l.google.com:19302
- stun3.l.google.com:19302
- stun4.l.google.com:19302
- stunserver.org
Note: The malware uses Session Traversal Utilities for NAT (STUN) to try and get the public IP address. It creates the following encrypted log file to store the information it gathers:
It creates the following encrypted log file in which to store the information it gathers:
%APPDATA% \local\[random aplha numeric characters].exe (for example: %APPDATA%\Local\2ete64.vas)
Connects to a remote server
It connects to a command and control C&C server to receive commands from a malicious hacker and sends information it steals from your PC. We've observed the trojan connecting to the following servers:
|
|
Additional information
The malware tries to hide itself by injecting code into the following processes:
- explorer.exe
- svchost.exe
Analysis by Alden Pornasdoro
Prevention
The following can indicate that you have this threat on your PC: