TrojanSpy:Win32/Ursnif can be disguised as an Adobe Flash update and thus unintentionally installed by a user. It is known to be the file downloaded via a link in a politically-themed email that is currently circulating.
It installs the following files:
- %windir%\9129837.exe - copy of itself
- <current folder>\abcdefg.bat - batch file used to delete its currently-running copy
This trojan modifies the system registry to ensure that it runs every time Windows starts.
Adds value: "ttool"
With data: "%windir%\9129837.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
The trojan stores configuration data in the following registry key:
TrojanSpy:Win32/Ursnif may inject its code into running processes.
TrojanSpy:Win32/Ursnif disables the following services and processes:
- Security Center
- Windows Firewall/Internet Connection Firewall
Drops device driver
TrojanSpy:Win32/Ursnif drops the following file, which is a device driver:
- %windir%\new_drv.sys - also detected as TrojanSpy:Win32/Ursnif
We have seen this threat monitor FTP, POP3, IMAP, and ICQ traffic. It collects passwords stored in Internet Explorer.
Connects to IP addresses
This trojan connects to the following subpages of a specific IP address, which varies from sample to sample, presumably to send back its collected data:
Analysis by Jireh Sanico