TrojanSpy:Win32/Ursnif is Microsoft's detection for a trojan that attempts to steal sensitive data, monitor network traffic and download additional malware. TrojanSpy:Win32/Ursnif attempts to send the collected data to a remote server and disables several services, such as the system firewall.
TrojanSpy:Win32/Ursnif may be disguised as an Adobe Flash update and thus unintentionally installed by a user. It is known to be the file downloaded via a link in a politically-themed email that is currently circulating.
When executed, it may drops the following files:
- %windir%\9129837.exe - copy of itself
- <current folder>\abcdefg.bat - batch file used to delete its currently-running copy
This trojan modifies the system registry to ensure that it runs every time Windows starts.
Adds value: "ttool"
With data: "%windir%\9129837.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
The trojan stores configuration data in the following registry key:
TrojanSpy:Win32/Ursnif may inject its code into running processes.
TrojanSpy:Win32/Ursnif disables the following services and processes:
- Security Center
- Windows Firewall/Internet Connection Firewall
Drops Device Driver
TrojanSpy:Win32/Ursnif drops the following file, which is a device driver:
%windir%\new_drv.sys - also detected as TrojanSpy:Win32/Ursnif
This trojan has been observed to monitor FTP, POP3, IMAP, and ICQ traffic. It collects passwords stored in Internet Explorer.
Connects to IP Addresses
This trojan connects to the following subpages of a specific IP address, which varies from sample to sample, presumably to send back its collected data:
Analysis by Jireh Sanico
The following system changes may indicate the presence of this malware: