We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Virus:Win32/Ursnif.F
Aliases: PE_URSNIF.E (Trend Micro) TR/Crypt.ZPACK.Gen (Avira) Troj/Ursnif-AF (Sophos) Trojan.Win32.Crypt (Ikarus) Trojan.Win32.Ursnif.a (Kaspersky) W32/Trojan.OCNL-6089 (Command) W32/Tuscas.A!tr (Fortinet) Win32/Kryptik.DAZG (ESET)
Summary
Windows Defender detects and removes this threat.
The threat is a virus that tries to steal information about your PC and send it to a remote malicious hacker.
It spreads by infecting files on removable or remote network drives.
You might get this threat by trying to open a file on a removable or network drive that looks like a Microsoft Word, Microsoft Excel, Microsoft Power Point or PDF file. The file is an infected executable (.exe) file that runs the virus.
Use the following free Microsoft software to detect and remove this threat:
- Microsoft Defender Antivirus for Windows 10 and Windows 8.1, or Microsoft Security Essentials for Windows 7 and Windows Vista
- Microsoft Safety Scanner
You should also run a full scan. A full scan might find hidden malware.
Scan removable drives
Remember to scan any removable or portable drives. If you have Microsoft security software, see this topic on our software help page:
Be careful when sharing files
Windows has a feature that lets you share files and folders on a network or shared PC. This feature is sometimes abused by malware to spread to other PCs within the network.
You can get more information and tips on how to share files safely from these pages:
- In Windows 8.1, Share files and folders on a network or a shared PC
- In Windows 7, File sharing essentials
- In Windows Vista, Share files and folders over the network
You should turn off file sharing until you make sure that all infected PCs have been cleaned of any malware.
Restore files from backup
This threat might make lasting changes to your files that won't be restored when it is detected and removed. You might need to restore the infected files from a backup. You can do this with a cloud storage service such as OneDrive, which is integrated into Windows 8 and Microsoft Office.
Protect your sensitive information
This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:
You should change your passwords after you've removed this threat:
Enable MAPS
Enable the Microsoft Active Protection Service (MAPS) on your system to protect your enterprise software security infrastructure in the cloud.
-
Check if MAPS is enabled in your Microsoft security product:
-
Select Settings and then select MAPS.
-
Select Advanced membership, then click Save changes. With the MAPS option enabled, your Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service.
- Join the Microsoft Active Protection Service Community.
Get more help
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
If you’re using Windows XP, see our Windows XP end of support page.