TrojanSpy:Win32/Ursnif.gen!I is a generic detection for a variant of trojans that steal sensitive information and allow unauthorized access and control of an affected computer.
System changes
The following system changes may indicate the presence of this malware:
TrojanSpy:Win32/Ursnif.gen!I is a generic detection for a variant of trojans that steal sensitive information and allow unauthorized access and control of an affected computer.
Installation
When executed, the main executable component drops a randomly named DLL component to the following location, for example:
<system folder>\cisvdosx.dll
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
and sets the following registry entry to ensure its execution:
To subkey: HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls\
Sets value: "odbchare"
With data: "%system%\cisvdosx.dll"
The malware then injects code into the "explorer.exe" process to load the DLL.
This component then drops and executes the following batch file and deletes itself:
abcdefg.bat
Payload
Steals sensitive information
The DLL component checks for any currently running Internet Explorer or Firefox process, and injects code to load a copy of itself into that process.
The malware then hooks the following networking APIs to redirect to its own code:
-
InternetReadFile
-
InternetReadFileExA
-
InternetReadFileExW
-
HttpSendRequestA
-
HttpSendRequestW
-
InternetQueryDataAvailable
-
LoadLibraryExW
-
InternetConnectA
-
InternetConnectW
The malware then checks the parameters passed to these APIs for user authentication credentials.
If found, these details along with a screen capture, are posted to a remote host.
Connects to a remote server
TrojanSpy:Win32/Ursnif.gen!I attempts to connect to a remote server to send its stolen information.
Some of the IP addresses it is known to connect to are:
Backdoor functionality
The malware connects to a remote host to obtain configuration information, which may instruct the malware to perform the following actions:
-
Download and execute arbitrary files
-
Delete browser Cookies, History and Cache
-
Reboot the computer
Additional information
The malware hooks the following system APIs to redirect to its own code:
-
CreateProcessW
-
CreateProcessA
-
CreateProcessAsUserW
-
CreateProcessAsUserA
-
LoadLibrary
-
LoadLibraryExW
The malware then injects a copy of itself into newly created processes, and hooks the networking APIs if the
system network library is loaded.
The malware also writes configuration data in the following registry location:
HKCU\Software\AppDataLow\<Random GUID>
In the wild, one sample is known to create the following registry entry:
HKCU\Software\AppDataLow\{8260c5e4-d7f3-bcb6-589d-0c214ad71efb}
Analysis by Ray Roberts
To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:
