Follow:

You have been re-routed to the TrojanSpy:Win32/Ursnif write up because TrojanSpy%3aWin32%2fUrsnif has been renamed to TrojanSpy:Win32/Ursnif
 

TrojanSpy:Win32/Ursnif


TrojanSpy:Win32/Ursnif is Microsoft's detection for a trojan that attempts to steal sensitive data, monitor network traffic and download additional malware. TrojanSpy:Win32/Ursnif attempts to send the collected data to a remote server and disables several services, such as the system firewall.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

TrojanSpy:Win32/Ursnif is Microsoft's detection for a trojan that attempts to steal sensitive data, monitor network traffic and download additional malware. TrojanSpy:Win32/Ursnif attempts to send the collected data to a remote server and disables several services, such as the system firewall.
Installation
TrojanSpy:Win32/Ursnif may be disguised as an Adobe Flash update and thus unintentionally installed by a user. It is known to be the file downloaded via a link in a politically-themed email that is currently circulating.
 
When executed, it may drops the following files:
  • %windir%\9129837.exe - copy of itself
  • <current folder>\abcdefg.bat - batch file used to delete its currently-running copy
 
This trojan modifies the system registry to ensure that it runs every time Windows starts.
 
Adds value: "ttool"
With data: "%windir%\9129837.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 
The trojan stores configuration data in the following registry key:
 
HKCU\Software\Microsoft\InetData
 
TrojanSpy:Win32/Ursnif may inject its code into running processes.
Payload
Disables Services
TrojanSpy:Win32/Ursnif disables the following services and processes:
  • Security Center
  • Windows Firewall/Internet Connection Firewall

Drops Device Driver
TrojanSpy:Win32/Ursnif drops the following file, which is a device driver:
 
%windir%\new_drv.sys - also detected as TrojanSpy:Win32/Ursnif
 
Steals Information
This trojan has been observed to monitor FTP, POP3, IMAP, and ICQ traffic. It collects passwords stored in Internet Explorer.
 
Connects to IP Addresses
This trojan connects to the following subpages of a specific IP address, which varies from sample to sample, presumably to send back its collected data:
 
/cgi-bin/options.cgi
/cgi-bin/forms.cgi
/cgi-bin/cert.cgi
/cgi-bin/pstore.cgi
/cgi-bin/ss.cgi
/cgi-bin/keylog.cgi
/cgi-bin/file.cgi
/cgi-bin/mail.cgi
/cgi-bin/cmd.cgi
/cgi-bin/forms.cgi
 
Analysis by Jireh Sanico

Symptoms

System Changes
The following system changes may indicate the presence of this malware:
  • The presence of the following file:
    %windir%\9129837.exe
  • The presence of the following registry modifications:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    ttool = "%windir%\9129837.exe"

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.181.222.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Nov 10, 2008
This entry was updated on: Apr 17, 2011

This threat is also detected as:
No known aliases