Home / malware

PDF

TrojanSpy:Win32/Ursnif.gen!K

First posted on 21 August 2012.
Source: Microsoft

Aliases :

TrojanSpy:Win32/Ursnif.gen!K is also known as TR/Spy.Ursnif.K.42 (Avira), Trojan-Spy.Win32.Ursnif (Ikarus).

Explanation :

TrojanSpy:Win32/Ursnif.gen!K is the DLL component of another malware capable of stealing personal information and performing commands from a remote attacker.



Installation

TrojanSpy:Win32/Ursnif.gen!K may be installed in your computer by other malware, or may be downloaded automatically if you visit a compromised or malicious website.

It creates the following mutexes to ensure that only one instance of itself is running:

• {f2783f40-a99f-ea72-7429-e86dc6435a27}
• {35f3554a-c421-0f0c-1efb-325f00e534e9}
• {312c2f58-6ad7-0a4a-0c21-00e51efb325f}

Payload

Performs commands from a remote attacker

TrojanSpy:Win32/Ursnif.gen!K may be commanded to perform commands from a remote attacker. These commands may include, but are not limited to, the following:

• Capture screenshots
• Steal cookies
• Steal certificates
• Upload a log file with all the stolen information from your computer
• Clear cookies
• Reboot your computer
• Start a SOCKS proxy
• Get a list of active running processes
• Terminate processes
• Download and run a new file

Downloads and installs other malware

TrojanSpy:Win32/Ursnif.gen!K may download and install another malware. The installed malware may have a randomly generated file name.

TrojanSpy:Win32/Ursnif.gen!K makes sure that its installed malware automatically runs every time Windows starts by creating the following registry entry:

In subkey: HKCR\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "ttool"
With data: "%Temp%\<random number>.exe"

Hooks APIs

TrojanSpy:Win32/Ursnif.gen!K inject code into running processes that patches the following APIs to redirect to its own code:

• CreateProcessA
• CreateProcessW
• InternetReadFile
• HttpSendRequestA
• HttpSendRequestW
• InternetReadFileExA
• InternetReadFileExW
• InternetCloseHandle
• InternetQueryDataAvailable

It does this to inspect and steal any relevant information passed to these APIs, as well as to inject its own code into any newly created process. The stolen information is then posted to a website.

Injects code into your browser

TrojanSpy:Win32/Ursnif.gen!K checks if you're currently using any of the following browsers. If you are, then it injects itself into the browser process:

• Internet Explorer
• Firefox
• Chrome
• Opera
• Safari

Changes Internet Explorer settings

TrojanSpy:Win32/Ursnif.gen!K disables the "Protected mode is currently turned off for the Internet zone" message in Internet Explorer by setting the following registry key:

In subkey: HKCR\Software\Microsoft\Internet Explorer\Main
Sets value: "NoProtectedModeBanner"
With data: "1"
Sets value: "TabProcGrowth"
With data: "0"

It also disables the "Protected mode" of Internet Explorer by setting the following registry key:

In subkey: HKCR\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "2500"
With data: "3"



Analysis by Patrick Estavillo

Last update 21 August 2012

 

TOP