TrojanSpy:Win32/Ursnif.gen!H is the generic detection for a trojan that modifies certain system files and settings. It steals information, such as Operating System details and user passwords, which it then sends back to remote servers.
Installation
TrojanSpy:Win32/Ursnif.gen!H drops itself in the system as the file '%UserProfile%\nah_fhbb.exe'. It creates the mutex called 'xmas_mutex' to prevent more than one instance of itself from running.
It modifies the system registry so that it automatically runs every time Windows starts:
Adds value: "nah_Shell"
With data: "%UserProfile%\nah_fhbb.exe"
To subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
It also creates the following registry entries as part of its installation routine:
Adds value: "nah_id"
With data: "1861792547"
Adds value: "nah_patch"
With data: "ok"
To subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion
It injects itself into the following services:
- svchost.exe
- smss.exe
- winlogon.exe
- lsass.exe
- csrss.exe
- services.exe
- processes that have the string '%avp%' in them
If the above services are not running, TrojanSpy:Win32/Ursnif.gen!H starts them.
TrojanSpy:Win32/Ursnif.gen!H also injects itself into other currently-running system processes.
If the user is running 'firefox.exe', TrojanSpy:Win32/Ursnif.gen!H modifies the browser's Manifest file to run the malware file when the browser is launched.
Payload
Modifies system files
TrojanSpy:Win32/Ursnif.gen!H modifies the following files in the Windows system folder to disable the security features in them:
Modifies network settings
TrojanSpy:Win32/Ursnif.gen!H changes the following network settings to allow remote attackers to connect to the system:
- Enables remote desktop connection:
Adds value: "fDenyTSConnections"
With data: "0"
To subkey: HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
- Allows multiple users to log on to the infected computer:
Adds value: "AllowMultipleTSSessions"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Creates user account
TrojanSpy:Win32/Ursnif.gen!H creates a user account and hides its presence in the Welcome screen. This account may be used to run the malware's services.
Adds value: "l1861792547"
With data: "0"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Steals user information
TrojanSpy:Win32/Ursnif.gen!H gathers the following system information, which it then sends back to the remote server 'service.stat'.
- Operating System version
- Service pack version
- Network settings
TrojanSpy:Win32/Ursnif.gen!H contains a module to gather the user's passwords as they are types. The stored passwords are logged in the file 'nah_log.dat' and is sent to the remote server '78.109.23.2' via HTTP POST.
Analysis by Jaime Wong