Home / malware TrojanSpy:Win64/Ursnif.A
First posted on 13 December 2012.
Source: MicrosoftAliases :
TrojanSpy:Win64/Ursnif.A is also known as Troj/Papras-N (Sophos).
Explanation :
TrojanSpy:Win64/Ursnif.A is malware that allows an attacker to gain backdoor access and control of your computer. Once installed, TrojanSpy:Win64/Ursnif.A steals personal information and sends it to the attacker.
Installation
TrojanSpy:Win64/Ursnif.A may be installed in your computer as a result of a drive-by download attack, if you visit a hacked or malicious website. TrojanSpy:Win64/Ursnif.A may also be installed by other malware.
Payload
Connects to a server
TrojanSpy:Win64/Ursnif.A connects to a remote server to receive commands from a remote attacker. The attacker can command TrojanSpy:Win64/Ursnif.A to perform any of the following commands:
- Grab HTTP outbound traffic (POST data)
- Grab FTP transfer data (GET/PUT commands)
- Capture screenshots
- Get your browser cookies
- Get your digital certificates
- Upload files to a server
- Clear browser cookies
- Restarts your computer
- Get a list of all running processes
- Kill a running process
- Execute a shell command
- Download and execute a file
- Add a program to the system startup registry
To perform these actions, TrojanSpy:Win64/Ursnif.A injects itself into the following web browser processes:
- chrome.exe
- firefox.exe
- iexplore.exe
- opera.exe
- safari.exe
TrojanSpy:Win64/Ursnif.A may upload stolen data to the following servers:
- 31.<blocked>.74.37
- 91.<blocked>.218.79
- newlif<blocked>.com.tw
- wehavech<blocked>e.com.tw
Analysis by Sergey Chernyshev
Last update 13 December 2012
