Home / malwarePDF  

TrojanSpy:Win32/Ursnif.gen!H


First posted on 11 June 2009.
Source: SecurityHome

Aliases :

TrojanSpy:Win32/Ursnif.gen!H is also known as Also Known As:Win32/Ursnif.FJ (CA), Trojan.Win32.Inject.kzl (Kaspersky), Win32/Spy.Ursnif.A (ESET).

Explanation :

TrojanSpy:Win32/Ursnif.gen!H is the generic detection for a trojan that modifies certain system files and settings. It steals information, such as Operating System details and user passwords, which it then sends back to remote servers.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following file:
    %UserProfile%
    ah_fhbb.exe
  • The presence of the following registry modifications:
    Added value: "nah_Shell"
    With data: "%UserProfile%
    ah_fhbb.exe"
    To subkey: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun

    Added value: "nah_id"
    With data: "1861792547"
    Added value: "nah_patch"
    With data: "ok"
    To subkey: HKCUSOFTWAREMicrosoftWindowsCurrentVersion
  • Presence of other malwareThis malware may modify system files to the extent that these files are detected as other threats. The presence of the following detections may indicate the presence of this malware:
  • Virtool:Win32/Ursnif.A
  • Virtool:Win32/Ursnif.B


  • TrojanSpy:Win32/Ursnif.gen!H is the generic detection for a trojan that modifies certain system files and settings. It steals information, such as Operating System details and user passwords, which it then sends back to remote servers.

    Installation
    TrojanSpy:Win32/Ursnif.gen!H drops itself in the system as the file '%UserProfile%
    ah_fhbb.exe'. It creates the mutex called 'xmas_mutex' to prevent more than one instance of itself from running. It modifies the system registry so that it automatically runs every time Windows starts: Adds value: "nah_Shell"
    With data: "%UserProfile%
    ah_fhbb.exe"
    To subkey: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun It also creates the following registry entries as part of its installation routine: Adds value: "nah_id"
    With data: "1861792547"
    Adds value: "nah_patch"
    With data: "ok"
    To subkey: HKCUSOFTWAREMicrosoftWindowsCurrentVersion It injects itself into the following services:
  • svchost.exe
  • smss.exe
  • winlogon.exe
  • lsass.exe
  • csrss.exe
  • services.exe
  • processes that have the string '%avp%' in them
  • If the above services are not running, TrojanSpy:Win32/Ursnif.gen!H starts them. TrojanSpy:Win32/Ursnif.gen!H also injects itself into other currently-running system processes. If the user is running 'firefox.exe', TrojanSpy:Win32/Ursnif.gen!H modifies the browser's Manifest file to run the malware file when the browser is launched.

    Payload
    Modifies system filesTrojanSpy:Win32/Ursnif.gen!H modifies the following files in the Windows system folder to disable the security features in them: winlogon.exe - modified file is detected as Virtool:Win32/Ursnif.A
    termsrv.dll - modified file is detected as Virtool:Win32/Ursnif.B Modifies network settingsTrojanSpy:Win32/Ursnif.gen!H changes the following network settings to allow remote attackers to connect to the system:
  • Enables remote desktop connection:
    Adds value: "fDenyTSConnections"
    With data: "0"
    To subkey: HKLMSYSTEMCurrentControlSetControlTerminal Server
  • Allows multiple users to log on to the infected computer:
    Adds value: "AllowMultipleTSSessions"
    With data: "1"
    To subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
  • Creates user accountTrojanSpy:Win32/Ursnif.gen!H creates a user account and hides its presence in the Welcome screen. This account may be used to run the malware's services. Adds value: "l1861792547"
    With data: "0"
    To subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonSpecialAccountsUserList Steals user informationTrojanSpy:Win32/Ursnif.gen!H gathers the following system information, which it then sends back to the remote server 'service.stat'.
  • Operating System version
  • Service pack version
  • Network settings
  • TrojanSpy:Win32/Ursnif.gen!H contains a module to gather the user's passwords as they are types. The stored passwords are logged in the file 'nah_log.dat' and is sent to the remote server '78.109.23.2' via HTTP POST.

    Analysis by Jaime Wong

    Last update 11 June 2009

     

    TOP