Home / malwarePDF  

Virus:Win32/Ursnif


First posted on 03 March 2015.
Source: Microsoft

Aliases :

There are no other names known for Virus:Win32/Ursnif.

Explanation :

Threat behavior

Installation

This virus is run from a file saved as %windir%\temp\. It can be a PDF, MSI, or EXE file.

It creates the following files on your PC:

  • %windir% \system32\.exe, for example %windir%\system32\wsauth.exe
  • %LOCALAPPDATA% \\.exe, for example, %LOCALAPPDATA%\faxpinst\blasstub.exe


The malware creates a service using the following registry modification:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\
Sets value: €œWindows Software Protection€
With data: "%windir%\system32\.exe €“s", for example "%windir%\system32\wsauth.exe €“s"

The in this folder will be named similarly to the .

This virus also changes the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: €œWindows Software Protection€
With data: "%APPDATA%\\.exe", for example %APPDATA%\faxpinst\blasstub.exe

Spreads through...

Shared network and removable drives

This virus spread to connected network and removable drives by injecting code into the following processes:

  • chrome.exe
  • explorer.exe
  • firefox.exe
  • iexplore.exe
  • services.exe


The injected code is responsible for infecting files on connected network and removable drives, such as USB flash drives. It searches for and infects the following file types:

  • .exe
  • .pdf
  • .msi


This virus can also drop a copy of itself on these drives, with the file name temp.exe.

Payload

Collects information about your PC

The malware collects information about your PC, including:

  • Installed drivers
  • Installed programs
  • Running services
  • System information


It does this by running the following commands:

  • driverquery.exe
  • reg.exe query "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" /s
  • systeminfo.exe
  • tasklist /SVC


It sends the collected information to the following domains:

  • /pki/mscorp/crl/MSIT%20Machine%20Auth%20CA%202(1).crl
  • /pki/mscorp/crl/msitwww2.crl




Analysis by Allan Sepillo

Symptoms

The following can indicate that you have this threat on your PC:

  • You see these entries or keys in your registry:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: €œWindows Software Protection€
    With data: "%APPDATA%\\.exe", for example %APPDATA%\faxpinst\blasstub.exe

Last update 03 March 2015

 

TOP

Malware :