Home / malware TrojanSpy:Win32/Ursnif.EL
First posted on 28 May 2009.
Source: SecurityHomeAliases :
TrojanSpy:Win32/Ursnif.EL is also known as Also Known As:Trojan-PSW.Win32.Papras.dr (Kaspersky).
Explanation :
TrojanSpy:Win32/Ursnif.EL is a trojan that steals sensitive information from an affected machine.
Symptoms
System ChangesThe following system changes may indicate the presence of this malware:The presence of the following file:
%windir%9129837.exeThe presence of the following registry modification:
Adds value: "ttool"
With data: "%windir%9129837.exe"
To subkey HKCUSoftwareMicrosoftWindowsCurrentVersionRunThe presence of the following registry entry:
HKCUSoftwareMicrosoftInetData
TrojanSpy:Win32/Ursnif.EL is a trojan that steals sensitive information from an affected machine.
Installation
When executed, TrojanSpy:Win32/Ursnif.EL copies itself to the following location:
%windir%9129837.exe
It modifies the registry to execute this copy at each Windows start:
Adds value: "ttool"
With data: "%windir%9129837.exe"
To subkey HKCUSoftwareMicrosoftWindowsCurrentVersionRun The trojan then executes its copy. It drops the following batch file in the current directory:abcdefg.batand runs it to delete the original executable. When %windir%9129837.exe is run, it drops and installs the driver "%windir%
ew_drv.sys".
This component may detected as VirTool:WinNT/Ursnif and is used to provide stealth (see Payload section below for further detail).
Payload
Steals Sensitive Information
Win32/Ursnif uses several methods in order to compromise the integrity of an affected machine's data. It attempts to steal sensitive data both in transit and in storage, and targets the following:Clear text passwords in transit
The trojan attempts to steal clear text passwords transmitted over the network. The trojan listens to all network traffic on every interface on a given machine, checking if it contains strings from common protocols that transmit passwords in clear text - for example FTP, POP3, IMAP and TELNET. If found the stolen data is posted to a remote location.Protected Storage
The trojan attempts to steal passwords and credentials that are stored using protected storage.Certificate Store
Ursnif attempts to steal Certificates and Private Keys from the Certificate store.Running Processes Opens Socks Proxy
Ursnif variants may inject code into running processes that patches the following APIs to redirect to its own code:
CreateProcessA
CreateProcessW
InternetReadFile
HttpSendRequestA
HttpSendRequestW
InternetReadFileExA
InternetReadFileExW
InternetCloseHandle
InternetQueryDataAvailable
It does this to inspect and steal any relevant information passed to these APIs and to inject its own code into any newly created process. The stolen information is then posted to a remote site.
The trojan sets up a socks proxy on a random port. Proxy servers may be used by attackers in order to hide the origin of malicious activity. The port information is posted to a remote host. Update Functionality
TrojanSpy:Win32/Ursnif.EL allows unauthorized access to an affected machine. The trojan connects to a remote host with version information. When passed a parameter in response to the version information sent, it removes any currently running versions of the trojan before installing an updated version of itself (should a newer version be available from the remote host). Provides Stealth
TrojanSpy:Win32/Ursnif.EL drops a driver, %windir%
ew_drv.sys, that is used to provide stealth to mask the files, registry entries and processes being used by the trojan. This component may be detected as VirTool:WinNT/Ursnif. Stops Services
The trojan may stop the following services in an attempt to disable the firewall and other security-related services:SharedAccess wscsvc Additional InformationTrojanSpy:Win32/Ursnif.EL stores configuration data under the following registry entry:
HKCUSoftwareMicrosoftInetData
Analysis by Ray RobertsLast update 28 May 2009
