Home / malware TrojanSpy:Win32/Ursnif.gen!K
First posted on 21 August 2012.
Source: MicrosoftAliases :
TrojanSpy:Win32/Ursnif.gen!K is also known as TR/Spy.Ursnif.K.42 (Avira), Trojan-Spy.Win32.Ursnif (Ikarus).
Explanation :
TrojanSpy:Win32/Ursnif.gen!K is the DLL component of another malware capable of stealing personal information and performing commands from a remote attacker.
Installation
TrojanSpy:Win32/Ursnif.gen!K may be installed in your computer by other malware, or may be downloaded automatically if you visit a compromised or malicious website.
It creates the following mutexes to ensure that only one instance of itself is running:
- {f2783f40-a99f-ea72-7429-e86dc6435a27}
- {35f3554a-c421-0f0c-1efb-325f00e534e9}
- {312c2f58-6ad7-0a4a-0c21-00e51efb325f}
Payload
Performs commands from a remote attacker
TrojanSpy:Win32/Ursnif.gen!K may be commanded to perform commands from a remote attacker. These commands may include, but are not limited to, the following:
- Capture screenshots
- Steal cookies
- Steal certificates
- Upload a log file with all the stolen information from your computer
- Clear cookies
- Reboot your computer
- Start a SOCKS proxy
- Get a list of active running processes
- Terminate processes
- Download and run a new file
Downloads and installs other malware
TrojanSpy:Win32/Ursnif.gen!K may download and install another malware. The installed malware may have a randomly generated file name.
TrojanSpy:Win32/Ursnif.gen!K makes sure that its installed malware automatically runs every time Windows starts by creating the following registry entry:
In subkey: HKCR\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "ttool"
With data: "%Temp%\<random number>.exe"
Hooks APIs
TrojanSpy:Win32/Ursnif.gen!K inject code into running processes that patches the following APIs to redirect to its own code:
- CreateProcessA
- CreateProcessW
- InternetReadFile
- HttpSendRequestA
- HttpSendRequestW
- InternetReadFileExA
- InternetReadFileExW
- InternetCloseHandle
- InternetQueryDataAvailable
It does this to inspect and steal any relevant information passed to these APIs, as well as to inject its own code into any newly created process. The stolen information is then posted to a website.
Injects code into your browser
TrojanSpy:Win32/Ursnif.gen!K checks if you're currently using any of the following browsers. If you are, then it injects itself into the browser process:
- Internet Explorer
- Firefox
- Chrome
- Opera
- Safari
Changes Internet Explorer settings
TrojanSpy:Win32/Ursnif.gen!K disables the "Protected mode is currently turned off for the Internet zone" message in Internet Explorer by setting the following registry key:
In subkey: HKCR\Software\Microsoft\Internet Explorer\Main
Sets value: "NoProtectedModeBanner"
With data: "1"
Sets value: "TabProcGrowth"
With data: "0"
It also disables the "Protected mode" of Internet Explorer by setting the following registry key:
In subkey: HKCR\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "2500"
With data: "3"
Analysis by Patrick Estavillo
Last update 21 August 2012