Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/Spy.Ursnif.A is a trojan that steals sensitive information. The trojan can send the information to a remote machine.
Installation
When executed, the trojan copies itself into the following location:
  • %userprofile%\nah_%random%.exe
%random% stands for a random text.

In order to be executed on every system start, the trojan sets the following Registry entry:
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run]
    "nah_Shell" = "%userprofile%\nah_%random%.exe"
The following Registry entries are created:
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion]
    "nah_opt_server1" = "78.109.23.2"
    "nah_opt_reserv" = "78.109.23.2"
    "nah_opt_forms" = "/f/prinimalka.py/forms"
The %number1-3% stands for a random number.

A string with variable content is used instead of %variable1-3% .

The following Registry entry is deleted:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed
    Components\{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
    "StubPath"
The following file is modified:
  • %programfiles%\Mozilla Firefox\chrome\browser.manifest

The trojan creates the following file:
  • %programfiles%\Mozilla Firefox\chrome\amba.jar

The trojan creates and runs a new thread with its own program code in all running processes.

It avoids those with any of the following strings in their names:
  • svchost.exe
  • [System Process]
  • System
  • smss.exe
  • winlogon.exe
Information stealing
The trojan creates a new User Account with the username:
  • l%variable3%
and the password:
  • pentagon
Win32/Spy.Ursnif.A is a trojan that steals sensitive information.

The following information is collected:
  • operating system version
  • computer IP address
  • default Internet browser


The trojan collects sensitive information when the user browses certain web sites.

The trojan can send the information to a remote machine. The HTTP protocol is used.

By adding an exception in Windows Firewall settings, the trojan ensures that it is not blocked.
Other information
The following Registry entry is set:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Winlogon\SpecialAccounts\UserList]
    "l%variable3%" = ""
This way the trojan hides the created user account in listings of all accounts.

The following Registry entries are set:
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
    Server]
    "fDenyTSConnections" = 0
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
    Server]
    "TSEnabled" = 1
This way the trojan enables Remote Desktop connections on the infected system.

The following Registry entry is set:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Winlogon]
    "AllowMultipleTSSessions" = 1
This Registry entry enables the Fast User Switching feature, which allows multiple users to be logged on to the system at the same time.

The trojan creates copies of the following files (source, destination):
  • %system%\winlogon.exe, %system%\winlogon.old
  • %system%\termsrv.dll, %system%\termsrv.old

The following files are modified:
  • %system%\winlogon.exe
  • %system%\termsrv.dll


The trojan is sent data and commands from a remote computer or the Internet.

The trojan can download and execute a file from the Internet.