Home / malware

PDF

TrojanSpy:Win32/Ursnif.FY

First posted on 30 August 2012.
Source: Microsoft

Aliases :

TrojanSpy:Win32/Ursnif.FY is also known as Win32/Kryptik.MKD (ESET), Win32/Kryptik.MCH (ESET), Win32/Kryptik.RNL (ESET), Backdoor.Win32.Papras (Ikarus), Trojan.MulDrop2.24844 (Dr.Web), Trojan.PWS.Siggen.24671 (Dr.Web), Win-Trojan/Papras.58880 (AhnLab), Backdoor.Papras!SYEIq/k37YA (VirusBuster), Backdoor.Papras!Sc7nTHYVv9M (VirusBuster), Backdoor.Win32.Papras.aig (Kaspersky), Backdoor.Win32.Papras.ddx (Kaspersky), Backdoor.Win32.Papras.def (Kaspersky), FakeAlert-SecurityTool.ab (McAfee), Mal/FakeAV-EE (Sophos), TR/Kazy.15747.32 (Avira), TR/Kazy.17886.2 (Avira), TR/Crypt.XPACK.Gen3 (Avira), BKDR_PAPRAS.SME (Trend Micro), TROJ_KRYPTIK.GER (Trend Micro), TROJ_SPNR.26L111 (Trend Micro), Gen:Variant.Kazy.15747 (BitDefender), Gen:Variant.Kazy.17886 (BitDefender) more.

Explanation :

TrojanSpy:Win32/Ursnif.FY is a backdoor trojan that steals sensitive information and allows unauthorized access and control of an affected computer. It may also install additional malware.

TrojanSpy:Win32/Ursnif.FY is a variant of the TrojanSpy:Win32/Ursnif family.



Installation

TrojanSpy:Win32/Ursnif.FY arrives as a DLL file and can be dropped or loaded by other malware, such as:

• TrojanSpy:Win32/Ursnif.FX
• TrojanSpy:Win32/Ursnif.gen!L
• VirTool:Win32/Obfuscator.UR

In the wild, we have observed TrojanSpy:Win32/Ursnif.FY with the following file names:

• <system folder>\eudcsmui.dll
• <system folder>\cisvdosx.dll

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\Winnt\System32"; and for XP, Vista, and 7 it is "C:\Windows\System32".



Payload

Steals sensitive information

TrojanSpy:Win32/Ursnif.FY steals your logon details, such as usernames and passwords, that are sent through an Internet browser, and it may also take a screen shot of your desktop. It sends this stolen information to a remote server.

Connects to a remote server

TrojanSpy:Win32/Ursnif.FY attempts to connect to a remote server to send its stolen information. Some remote domains it is known to connect to are:

• invasionusurp.co.cc
• legislationname.co.cc
• necessaryprote.co.cc

Allows backdoor access and control

The malware also connects to the remote server to obtain configuration information, which may instruct the malware to perform one of the following actions:

• Download and install arbitrary files, and set these to run at every Windows start
• Delete browser cookies, history and Internet cache files, possibly in an effort to hinder detection
• Reboot the computer

The malware stores configuration data under the following registry entry:

HKCU\Software\AppDataLow\{}

Injects code into your browser

TrojanSpy:Win32/Ursnif.FY checks if you're currently using any of the following browsers. If you are, then it injects itself into the browser process to assist with its information-stealing payload:

• Chrome
• Firefox
• Internet Explorer
• Opera
• Safari

Additional information

TrojanSpy:Win32/Ursnif.FY steals data by hooking into, or "hijacking", the following APIs to redirect to its own code:

• HttpSendRequestA
• HttpSendRequestW
• InternetConnectA
• InternetConnectW
• InternetQueryDataAvailable
• InternetReadFile
• InternetReadFileExA
• InternetReadFileExW

An API is a function of a program, and these APIs are used by Internet browsers.

The malware also injects code into existing or newly created processes. The injected code modifies the following APIs to redirect to its own code:

• CreateProcessA
• CreateProcessAsUserA
• CreateProcessAsUserW
• CreateProcessW
• LoadLibrary
• LoadLibraryExW

Analysis by Rex Plantado

Last update 30 August 2012

 

TOP