Follow:

 

Win32/Ursnif


Microsoft security software detects and removes this threat.

This family of trojans collects information about your PC and sends it to a malicious hacker.

It can spread through infected remote or removable drives, such as USB flash drives.



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find hidden malware.

Disable Autorun

This threat tries to use the Windows Autorun function to spread via removable drives, such as USB flash drives. You can disable Autorun to prevent worms from spreading:

Scan removable drives

Remember to scan any removable or portable drives. If you have Microsoft security software, see this topic on our software help page:

Be careful when sharing files

Windows has a feature that lets you share files and folders on a network or shared PC. This feature is sometimes abused by malware to spread to other PCs within the network.

You can get more information and tips on how to share files safely from these pages:

You should turn off file sharing until you make sure that all infected PCs have been cleaned of any malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

 Malware in this family can run from a PDF, MSI, or EXE file saved as <system folder>\temp\<random file name>.

It can run a copy of itself and then runs a batch file which deletes the original executable.

Variants can create the following files on your PC:

When the copy in the Windows directory is run, it drops and installs the driver <system folder>\new_drv.sys. This component is used to provide stealth capabilities.

 Malware in this family can modify the following registry entries:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "ttool"
With data:"<system folder>\9129837.exe"
 
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\<randomly generated service name>
Sets value: “Windows Software Protection”
With data: "%windir%\system32\<random file name>.exe –s", for example "%windir%\system32\wsauth.exe –s"
 
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: “Windows Software Protection”
With data: "%APPDATA%\<random folder name>\<random file name>.exe", for example %APPDATA%\faxpinst\blasstub.exe
Spreads through...

Virus variants can spread to connected network and removable drives by injecting code into the following processes:

  • chrome.exe
  • explorer.exe
  • f irefox.exe
  • iexplore.exe
  • services.exe

The injected code is responsible for infecting files on connected network and removable drives, such as USB flash drives. It searches for and infects the following file types:

  • .exe
  • .pdf
  • .msi

The virus can also drop a copy of itself on these drives, with the file name temp.exe.

Payload

Collects information about your PC

The virus variant collects information about your PC, including: 

  • Installed drivers
  • Installed programs
  • Running services
  • System information

It does this by running the following commands:

  • driverquery.exe
  • reg.exe query "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" /s
  • systeminfo.exe
  • tasklist /SVC

We have seen it send the collected information to the following domains:

  • <random domain>/pki/mscorp/crl/MSIT%20Machine%20Auth%20CA%202(1).crl
  • <random domain>/pki/mscorp/crl/msitwww2.crl

Steals sensitive information
The trojan variant attempts to steal sensitive data both in transit and in storage, and targets the following:

  • Clear text passwords in transit
    The trojan attempts to steal clear text passwords transmitted over the network. The trojan listens to all network traffic on every interface on a given machine, checking if it contains strings from common protocols that transmit passwords in clear text - for example FTP, POP3, IMAP and TELNET. If found the stolen data is posted to a remote location.
  • Protected storage 
    The trojan attempts to steal passwords and credentials that are stored using protected storage.
  • Certificate store 
    Ursnif attempts to steal certificates and private keys from the certificate store.
  • Running processes
    Ursnif variants inject code into running processes that patches the following APIs to redirect to its own code:
    • CreateProcessA
    • CreateProcessW
    • InternetReadFile
    • HttpSendRequestA
    • HttpSendRequestW
    • InternetReadFileExA
    • InternetReadFileExW
    • InternetCloseHandle
    • InternetQueryDataAvailable

It does this to inspect and steal any relevant information passed to these APIs and to inject its own code into any newly created process. The stolen information is then posted to a remote site.

Opens socks proxy
The trojan sets up a socks proxy on a random port. Proxy servers can be used by malicious hackers to hide the origin of malicious activity. The port information is posted to a remote host.

Update functionality
Ursnif variants allow unauthorized access to an affected machine. The trojan variant connects to a remote host with the trojan version information. If a newer version of the trojan is available from the remote host, it removes any currently running versions of the trojan before installing an updated version of itself.

Provides stealth
Variants of Win32/Ursnif drop a driver <system folder>\new_drv.sys that is used to provide stealth to mask the files, registry entries, and processes used by the trojan.  
 
Stops services
The trojan stops the following services in an attempt to disable the firewall and other security-related services:
  • SharedAccess
  • wscsvc
Additional information

Win32/Ursnif stores configuration data under the following registry entry:

  • HKCU\Software\Microsoft\InetData 
 
Analysis by Ray Roberts

Symptoms

The following can indicate that you have this threat on your PC:

  • You see these entries or keys in your registry:

    • In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
      Sets value: "ttool"
      With data:"<system folder>\9129837.exe"

    • In subkey: HKLM\SYSTEM\CurrentControlSet\Services\<randomly generated service name>
      Sets value: “Windows Software Protection”
      With data: "%windir%\system32\<random file name>.exe –s", for example "%windir%\system32\wsauth.exe –s"

    • In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
      Sets value: “Windows Software Protection”
      With data: "%APPDATA%\<random folder name>\<random file name>.exe", for example %APPDATA%\faxpinst\blasstub.exe
 

Prevention


Alert level: Severe
This entry was first published on: Mar 31, 2009
This entry was updated on: Mar 25, 2015

This threat is also detected as:
  • Gozi (other)