Virus:Win32/Ursnif.F

Installation

You might get this threat by trying to open a file on a removable or network drive that looks like a Microsoft Word, Microsoft Excel, Microsoft Power Point or PDF file. The file is an infected executable (.exe) file that runs the virus.

When the infected file runs, it decompresses the virus code in the host file into %SystemRoot%\temp, and runs it.

The threat then drops the following files on your PC:

• <system folder>\<random file name>.exe - file used by the virus to create a service
• %LOCALAPPDATA%\<random folder name>\<random file name>.exe - copy of the infected host file that infected your PC

It also registers itself as a service by modifying the registry:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\<random generated service name>
Sets value: "DisplayName"
With data: "Windows Protection"

Sets value: "ImagePath"
With data: "<system folder>\<random file name>.exe -k"

The <random generated service name> and <random file name> are created by combining parts from the file names of legitimate files in the <system folder>.

For example, the threat can use a service name "wsauth" and file name wsauth.exe by combining the strings "ws" from ws2_32.dll, and "auth" from authz.dll.

It might also change the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random registry value>"
With data: "%LOCALAPPDATA%\<random folder name>\<random file name>.exe"

The <random registry value>, <random folder name> and <random filename> are all formed by combining parts of file names found in the <system folder>, for example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Clipcess"
With data: "%LOCALAPPDATA%\faxpinst\wsauth.exe"

In this example:

• The value "clipcess" is formed with the strings "clip" from clipbrd.exe and "cess" from ctfmcess.exe.
• The folder name faxp is formed with the strings "fax" from faxpatch.exe and "inst" from iccoinstall.dll.
• The file name wsauth.exe is formed with the strings "ws" from ws2_32.dll, and "auth" from authz.dll.

This way, it appears that the process name in the process list will look like a legitimate system process.

Spreads through

Injects code to explorer.exe

The threat injects code into explorer.exe. The injected code is responsible for infecting Microsoft Office and Adobe PDF files in removable or remote drives. It renames the infected files into an executable (.exe) file.

If the file format of the Microsoft Office file is from Office 2007 and later, and has an extension like the following, the infected file will not have the same icon as the uninfected file:

• .docx
• .pptx
• .xlsx 

This virus might also drop a copy of itself on these drives, with the filename subst.exe.

Payload

Steals information

The malware queries some system information, including the following:

• Installed drivers
• Installed programs
• Running services
• System information

It does this by running the following commands:

• cmd /C "systeminfo.exe > %s"
• cmd /C "tasklist.exe /SVC >> %s"
• cmd /C "driverquery.exe >> %s"
• cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> %s"

Analysis by Ferdinand Plazo