Win32/Spy.Ursnif [Threat Name] go to Threat
Win32/Spy.Ursnif.A [Threat Variant Name]
| Category | trojan,virus |
| Size | 80384 B |
| Aliases | Trojan.Win32.Inject.kzl (Kaspersky) |
| TrojanSpy:Win32/Ursnif.gen!H (Microsoft) | |
| TROJ_PATCH.ZGM (TrendMicro) |
Short description
Win32/Spy.Ursnif.A is a trojan that steals sensitive information. The trojan can send the information to a remote machine.
Installation
When executed, the trojan copies itself into the following location:
- %userprofile%\nah_%random%.exe
%random% represents a random text.
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "nah_Shell" = "%userprofile%\nah_%random%.exe"
The following Registry entries are created:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion]
- "nah_opt_server1" = "78.109.23.2"
- "nah_opt_reserv" = "78.109.23.2"
- "nah_opt_forms" = "/f/prinimalka.py/forms"
- "nah_opt_options" = "/f/prinimalka.py/options"
- "nah_opt_command" = "/f/prinimalka.py/command"
- "nah_opt_file" = "/f/prinimalka.py/cookies"
- "nah_opt_ss" = "/cgi-bin/trash.py"
- "nah_opt_pstorage" = "/cgi-bin/trash.py"
- "nah_opt_certs" = "/cgi-bin/trash.py"
- "nah_opt_idproject" = %number1%
- "nah_opt_pauseopt" = %number2%
- "nah_opt_pausecert" = %number3%
- "nah_opt_deletecookie" = "%variable1%"
- "nah_opt_deletesol" = "%variable2%"
- "nah_id" = "%variable3%"
The %number1-3% represents a random number.
A string with variable content is used instead of %variable1-3% .
The following Registry entry is deleted:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
- "StubPath"
The trojan modifies the following file:
- %programfiles%\Mozilla Firefox\chrome\browser.manifest
The trojan creates the following file:
- %programfiles%\Mozilla Firefox\chrome\amba.jar
The trojan creates and runs a new thread with its own program code in all running processes.
It avoids those with any of the following strings in their names:
- svchost.exe
- [System Process]
- System
- smss.exe
- winlogon.exe
- lsass.exe
- avp
- csrss.exe
- services.exe
Information stealing
The trojan creates a new user account with the username:
- l%variable3%
and the password:
- pentagon
Win32/Spy.Ursnif.A is a trojan that steals sensitive information.
The following information is collected:
- operating system version
- computer IP address
- default Internet browser
The trojan collects sensitive information when the user browses certain web sites.
The trojan can send the information to a remote machine. The HTTP protocol is used.
By adding an exception in Windows Firewall settings, the trojan ensures that it is not blocked.
Other information
The following Registry entry is set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
- "l%variable3%" = ""
This way the trojan hides the created user account in listings of all accounts.
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
- "fDenyTSConnections" = 0
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
- "TSEnabled" = 1
This way the trojan enables Remote Desktop connections on the infected system.
The following Registry entry is set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "AllowMultipleTSSessions" = 1
This Registry entry enables the Fast User Switching feature, which allows multiple users to be logged on to the system at the same time.
The trojan creates copies of the following files (source, destination):
- %system%\winlogon.exe, %system%\winlogon.old
- %system%\termsrv.dll, %system%\termsrv.old
The following files are modified:
- %system%\winlogon.exe
- %system%\termsrv.dll
The trojan acquires data and commands from a remote computer or the Internet.
The trojan can download and execute a file from the Internet.