Follow:

You have been re-routed to the TrojanSpy:Win64/Ursnif.A write up because TrojanSpy%3aWin64%2fUrsnif.A has been renamed to TrojanSpy:Win64/Ursnif.A
 

TrojanSpy:Win64/Ursnif.A


TrojanSpy:Win64/Ursnif.A is malware that allows an attacker to gain backdoor access and control of your computer. Once installed, TrojanSpy:Win64/Ursnif.A steals personal information and sends it to the attacker.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Threat behavior

TrojanSpy:Win64/Ursnif.A is malware that allows an attacker to gain backdoor access and control of your computer. Once installed, TrojanSpy:Win64/Ursnif.A steals personal information and sends it to the attacker.

Installation

TrojanSpy:Win64/Ursnif.A may be installed in your computer as a result of a drive-by download attack, if you visit a hacked or malicious website. TrojanSpy:Win64/Ursnif.A may also be installed by other malware.

Payload

Connects to a server

TrojanSpy:Win64/Ursnif.A connects to a remote server to receive commands from a remote attacker. The attacker can command TrojanSpy:Win64/Ursnif.A to perform any of the following commands:

  • Grab HTTP outbound traffic (POST data)
  • Grab FTP transfer data (GET/PUT commands)
  • Capture screenshots
  • Get your browser cookies
  • Get your digital certificates
  • Upload files to a server
  • Clear browser cookies
  • Restarts your computer
  • Get a list of all running processes
  • Kill a running process
  • Execute a shell command
  • Download and execute a file
  • Add a program to the system startup registry

To perform these actions, TrojanSpy:Win64/Ursnif.A injects itself into the following web browser processes:

  • chrome.exe
  • firefox.exe
  • iexplore.exe
  • opera.exe
  • safari.exe

TrojanSpy:Win64/Ursnif.A may upload stolen data to the following servers:

  • 31.<blocked>.74.37
  • 91.<blocked>.218.79
  • newlif<blocked>.com.tw
  • wehavech<blocked>e.com.tw

Analysis by Sergey Chernyshev


Symptoms

 There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.

Prevention


Alert level: Severe
First detected by definition: 1.115.1100.0
Latest detected by definition: 1.177.2267.0 and higher
First detected on: Nov 02, 2011
This entry was first published on: Nov 02, 2011
This entry was updated on: Dec 12, 2012

This threat is also detected as:
  • Troj/Papras-N (Sophos)