Home / malwarePDF  

TrojanSpy:Win32/Ursnif.EL


First posted on 28 May 2009.
Source: SecurityHome

Aliases :

TrojanSpy:Win32/Ursnif.EL is also known as Also Known As:Trojan-PSW.Win32.Papras.dr (Kaspersky).

Explanation :

TrojanSpy:Win32/Ursnif.EL is a trojan that steals sensitive information from an affected machine.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following file:
    %windir%9129837.exe
  • The presence of the following registry modification:
    Adds value: "ttool"
    With data: "%windir%9129837.exe"
    To subkey HKCUSoftwareMicrosoftWindowsCurrentVersionRun
  • The presence of the following registry entry:
    HKCUSoftwareMicrosoftInetData


  • TrojanSpy:Win32/Ursnif.EL is a trojan that steals sensitive information from an affected machine.

    Installation
    When executed, TrojanSpy:Win32/Ursnif.EL copies itself to the following location:
    %windir%9129837.exe
    It modifies the registry to execute this copy at each Windows start:
    Adds value: "ttool"
    With data: "%windir%9129837.exe"
    To subkey HKCUSoftwareMicrosoftWindowsCurrentVersionRun The trojan then executes its copy. It drops the following batch file in the current directory:abcdefg.batand runs it to delete the original executable. When %windir%9129837.exe is run, it drops and installs the driver "%windir%
    ew_drv.sys".
    This component may detected as VirTool:WinNT/Ursnif and is used to provide stealth (see Payload section below for further detail).

    Payload
    Steals Sensitive Information
    Win32/Ursnif uses several methods in order to compromise the integrity of an affected machine's data. It attempts to steal sensitive data both in transit and in storage, and targets the following:
  • Clear text passwords in transit
    The trojan attempts to steal clear text passwords transmitted over the network. The trojan listens to all network traffic on every interface on a given machine, checking if it contains strings from common protocols that transmit passwords in clear text - for example FTP, POP3, IMAP and TELNET. If found the stolen data is posted to a remote location.
  • Protected Storage
    The trojan attempts to steal passwords and credentials that are stored using protected storage.
  • Certificate Store
    Ursnif attempts to steal Certificates and Private Keys from the Certificate store.
  • Running Processes
    Ursnif variants may inject code into running processes that patches the following APIs to redirect to its own code:
    CreateProcessA
    CreateProcessW
    InternetReadFile
    HttpSendRequestA
    HttpSendRequestW
    InternetReadFileExA
    InternetReadFileExW
    InternetCloseHandle
    InternetQueryDataAvailable

    It does this to inspect and steal any relevant information passed to these APIs and to inject its own code into any newly created process. The stolen information is then posted to a remote site.
  • Opens Socks Proxy
    The trojan sets up a socks proxy on a random port. Proxy servers may be used by attackers in order to hide the origin of malicious activity. The port information is posted to a remote host. Update Functionality
    TrojanSpy:Win32/Ursnif.EL allows unauthorized access to an affected machine. The trojan connects to a remote host with version information. When passed a parameter in response to the version information sent, it removes any currently running versions of the trojan before installing an updated version of itself (should a newer version be available from the remote host). Provides Stealth
    TrojanSpy:Win32/Ursnif.EL drops a driver, %windir%
    ew_drv.sys, that is used to provide stealth to mask the files, registry entries and processes being used by the trojan. This component may be detected as VirTool:WinNT/Ursnif. Stops Services
    The trojan may stop the following services in an attempt to disable the firewall and other security-related services:
  • SharedAccess
  • wscsvc
  • Additional InformationTrojanSpy:Win32/Ursnif.EL stores configuration data under the following registry entry:
    HKCUSoftwareMicrosoftInetData

    Analysis by Ray Roberts

    Last update 28 May 2009

     

    TOP