Follow:

You have been re-routed to the TrojanSpy:Win32/Ursnif write up because TrojanSpy%3aWin32%2fUrsnif has been renamed to TrojanSpy:Win32/Ursnif
 

TrojanSpy:Win32/Ursnif


Microsoft security software detects and removes this threat.
 
This threat can steal your personal information, watch what you do online, and download other malware onto your PC.
 


What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation
TrojanSpy:Win32/Ursnif can be disguised as an Adobe Flash update and thus unintentionally installed by a user. It is known to be the file downloaded via a link in a politically-themed email that is currently circulating.
 
It installs the following files:
 
  • %windir%\9129837.exe - copy of itself
  • <current folder>\abcdefg.bat - batch file used to delete its currently-running copy
 
This trojan modifies the system registry to ensure that it runs every time Windows starts.
 
Adds value: "ttool"
With data: "%windir%\9129837.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 
The trojan stores configuration data in the following registry key:
  • HKCU\Software\Microsoft\InetData

TrojanSpy:Win32/Ursnif may inject its code into running processes.

Payload
Disables Services

TrojanSpy:Win32/Ursnif disables the following services and processes:
 
  • Security Center
  • Windows Firewall/Internet Connection Firewall

Drops device driver
 
TrojanSpy:Win32/Ursnif drops the following file, which is a device driver:
  • %windir%\new_drv.sys - also detected as TrojanSpy:Win32/Ursnif

Steals information

We have seen this threat monitor FTP, POP3, IMAP, and ICQ traffic. It collects passwords stored in Internet Explorer.
 
Connects to IP addresses
 
This trojan connects to the following subpages of a specific IP address, which varies from sample to sample, presumably to send back its collected data:
  • /cgi-bin/options.cgi
  • /cgi-bin/forms.cgi
  • /cgi-bin/cert.cgi
  • /cgi-bin/pstore.cgi
  • /cgi-bin/ss.cgi
  • /cgi-bin/keylog.cgi
  • /cgi-bin/file.cgi
  • /cgi-bin/mail.cgi
  • /cgi-bin/cmd.cgi
  • /cgi-bin/forms.cgi 
Analysis by Jireh Sanico

Symptoms

System Changes
The following system changes may indicate the presence of this malware:
 
  • The presence of the following file:
    %windir%\9129837.exe
  • The presence of the following registry modifications:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    ttool = "%windir%\9129837.exe"

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.195.662.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Nov 10, 2008
This entry was updated on: Nov 25, 2014

This threat is also detected as:
No known aliases