Win32/Spy.Ursnif [Threat Name] go to Threat

Win32/Spy.Ursnif.A [Threat Variant Name]

Category trojan,virus
Size 80384 B
Detection created Oct 17, 2008
Signature database version 10188
Aliases Trojan.Win32.Inject.kzl (Kaspersky)
  TrojanSpy:Win32/Ursnif.gen!H (Microsoft)
  TROJ_PATCH.ZGM (TrendMicro)
Short description

Win32/Spy.Ursnif.A is a trojan that steals sensitive information. The trojan can send the information to a remote machine.

Installation

When executed, the trojan copies itself into the following location:

  • %userprofile%\­nah_%random%.exe

%random% represents a random text.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "nah_Shell" = "%userprofile%\­nah_%random%.exe"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion]
    • "nah_opt_server1" = "78.109.23.2"
    • "nah_opt_reserv" = "78.109.23.2"
    • "nah_opt_forms" = "/f/prinimalka.py/forms"
    • "nah_opt_options" = "/f/prinimalka.py/options"
    • "nah_opt_command" = "/f/prinimalka.py/command"
    • "nah_opt_file" = "/f/prinimalka.py/cookies"
    • "nah_opt_ss" = "/cgi-bin/trash.py"
    • "nah_opt_pstorage" = "/cgi-bin/trash.py"
    • "nah_opt_certs" = "/cgi-bin/trash.py"
    • "nah_opt_idproject" = %number1%
    • "nah_opt_pauseopt" = %number2%
    • "nah_opt_pausecert" = %number3%
    • "nah_opt_deletecookie" = "%variable1%"
    • "nah_opt_deletesol" = "%variable2%"
    • "nah_id" = "%variable3%"

The %number1-3% represents a random number.


A string with variable content is used instead of %variable1-3% .


The following Registry entry is deleted:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Active Setup\­Installed Components\­{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
    • "StubPath"

The trojan modifies the following file:

  • %programfiles%\­Mozilla Firefox\­chrome\­browser.manifest

The trojan creates the following file:

  • %programfiles%\­Mozilla Firefox\­chrome\­amba.jar

The trojan creates and runs a new thread with its own program code in all running processes.


It avoids those with any of the following strings in their names:

  • svchost.exe
  • [System Process]
    • System
    • smss.exe
    • winlogon.exe
    • lsass.exe
    • avp
    • csrss.exe
    • services.exe
Information stealing

The trojan creates a new user account with the username:

  • l%variable3%

and the password:

  • pentagon

Win32/Spy.Ursnif.A is a trojan that steals sensitive information.


The following information is collected:

  • operating system version
  • computer IP address
  • default Internet browser

The trojan collects sensitive information when the user browses certain web sites.


The trojan can send the information to a remote machine. The HTTP protocol is used.


By adding an exception in Windows Firewall settings, the trojan ensures that it is not blocked.

Other information

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­SpecialAccounts\­UserList]
    • "l%variable3%" = ""

This way the trojan hides the created user account in listings of all accounts.


The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Terminal Server]
    • "fDenyTSConnections" = 0
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Terminal Server]
    • "TSEnabled" =  1

This way the trojan enables Remote Desktop connections on the infected system.


The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "AllowMultipleTSSessions" = 1

This Registry entry enables the Fast User Switching feature, which allows multiple users to be logged on to the system at the same time.


The trojan creates copies of the following files (source, destination):

  • %system%\­winlogon.exe, %system%\­winlogon.old
  • %system%\­termsrv.dll, %system%\­termsrv.old

The following files are modified:

  • %system%\­winlogon.exe
  • %system%\­termsrv.dll

The trojan acquires data and commands from a remote computer or the Internet.


The trojan can download and execute a file from the Internet.

Please enable Javascript to ensure correct displaying of this content and refresh this page.