TrojanSpy:Win32/Ursnif.gen!I is a generic detection for a variant of trojans that steal sensitive information and allow unauthorized access and control of an affected computer.
When executed, the main executable component drops a randomly named DLL component to the following location, for example:
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
and sets the following registry entry to ensure its execution:
To subkey: HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls\
Sets value: "odbchare"
With data: "%system%\cisvdosx.dll"
The malware then injects code into the "explorer.exe" process to load the DLL.
This component then drops and executes the following batch file and deletes itself:
Steals sensitive information
The DLL component checks for any currently running Internet Explorer or Firefox process, and injects code to load a copy of itself into that process.
The malware then hooks the following networking APIs to redirect to its own code:
The malware then checks the parameters passed to these APIs for user authentication credentials.
If found, these details along with a screen capture, are posted to a remote host.
Connects to a remote server
TrojanSpy:Win32/Ursnif.gen!I attempts to connect to a remote server to send its stolen information.
Some of the IP addresses it is known to connect to are:
The malware connects to a remote host to obtain configuration information, which may instruct the malware to perform the following actions:
Download and execute arbitrary files
Delete browser Cookies, History and Cache
Reboot the computer
The malware hooks the following system APIs to redirect to its own code:
The malware then injects a copy of itself into newly created processes, and hooks the networking APIs if the
system network library is loaded.
The malware also writes configuration data in the following registry location:
In the wild, one sample is known to create the following registry entry:
Analysis by Ray Roberts