TrojanSpy:Win32/Ursnif.gen!I is a generic detection for a variant of trojans that steal sensitive information and allow unauthorized access and control of an affected computer.
Installation
When executed, the main executable component drops a randomly named DLL component to the following location, for example:
<system folder>\cisvdosx.dll
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
and sets the following registry entry to ensure its execution:
To subkey: HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls\
Sets value: "odbchare"
With data: "%system%\cisvdosx.dll"
The malware then injects code into the "explorer.exe" process to load the DLL.
This component then drops and executes the following batch file and deletes itself:
abcdefg.bat
Payload
Steals sensitive information
The DLL component checks for any currently running Internet Explorer or Firefox process, and injects code to load a copy of itself into that process.
The malware then hooks the following networking APIs to redirect to its own code:
- InternetReadFile
- InternetReadFileExA
- InternetReadFileExW
- HttpSendRequestA
- HttpSendRequestW
- InternetQueryDataAvailable
- LoadLibraryExW
- InternetConnectA
- InternetConnectW
The malware then checks the parameters passed to these APIs for user authentication credentials. If found, these details along with a screen capture, are posted to a remote host.
Connects to a remote server
TrojanSpy:Win32/Ursnif.gen!I attempts to connect to a remote server to send its stolen information.
Some of the IP addresses it is known to connect to are:
Backdoor functionality
The malware connects to a remote host to obtain configuration information, which may instruct the malware to perform the following actions:
- Download and execute arbitrary files
- Delete browser Cookies, History and Cache
- Reboot the computer
Additional information
The malware hooks the following system APIs to redirect to its own code:
- CreateProcessW
- CreateProcessA
- CreateProcessAsUserW
- CreateProcessAsUserA
- LoadLibrary
- LoadLibraryExW
The malware then injects a copy of itself into newly created processes, and hooks the networking APIs if the system network library is loaded.
The malware also writes configuration data in the following registry location:
HKCU\Software\AppDataLow\<Random GUID>
In the wild, one sample is known to create the following registry entry:
HKCU\Software\AppDataLow\{8260c5e4-d7f3-bcb6-589d-0c214ad71efb}
Analysis by Ray Roberts