Home / malwarePDF  

TrojanSpy:Win32/Ursnif.GS


First posted on 07 September 2012.
Source: Microsoft

Aliases :

TrojanSpy:Win32/Ursnif.GS is also known as Backdoor.Win32.Papras.foy (Kaspersky), Trojan.PWS.Papras!tfxLYPjEhYY (VirusBuster), Win32/PSW.Papras.CE trojan (ESET), Mal/Steppa-A (Sophos).

Explanation :



TrojanSpy:Win32/Ursnif.GS is a trojan that can steal your personal information and upload this information to a remote server, among other backdoor commands it can perform. It also deletes certain files and folders.



Installation

TrojanSpy:Win32/Ursnif.GS has a random file name in the Temporary Files folder. It creates a registry entry with random values to enable it to automatically run every time Windows starts.

TrojanSpy:Win32/Ursnif.GS creates registry entries as part of its installation process:

In subkey: HKCU\Software\AppDataLow\Software\Microsoft\Internet Explorer\Security\AntiPhishing\
Sets value: "{random GUID}"
With data: "<random data>"

In subkey: HKCU\Software\AppDataLow\Software\Microsoft\Internet Explorer\Security\AntiPhishing\{random GUID}
Sets value: "ID"
With data: "<random data>"

In subkey: HKCU\Software\AppDataLow\Software\Microsoft\Internet Explorer\Security\AntiPhishing\{random GUID}
Sets value: "Group"
With data: "40c"

TrojanSpy:Win32/Ursnif.GS checks if you have a browser currently open. If one is found, it injects code into the browser process to load itself. It checks if the following browsers are running:

  • Chrome
  • Firefox
  • Internet Explorer
  • Opera
  • Safari


Payload

Deletes files

TrojanSpy:Win32/Ursnif.GS deletes all files and subfolders in the following folders:

  • <user profile>\Cookies\
  • <user profile>\Local Settings\History\
  • <user profile>\Local Settings\Temporary Internet Files\


Allows backdoor access and control

TrojanSpy:Win32/Ursnif.GS may perform any of the following actions by connecting to remote servers:

  • Confirm Internet connectivity
  • Report a new infection to its author
  • Receive configuration data or other data
  • Upload data taken from your computer
  • Download and run arbitrary files (including updates or other malware)


TrojanSpy:Win32/Ursnif.GS is known to connect to the following servers:

  • whestabformerour.co.cc
  • statesourcalled.co.cc




Analysis by Patrik Estavillo

Last update 07 September 2012

 

TOP

Malware :

Family: