The Win32/Spy.Ursnif Trojan is a malware infection that is designed to steal its victims’ personal information. The fact that this malware infection is a Trojan means that Win32/Spy.Ursnif cannot spread on its own, unlike a virus or a worm. Trojans require the victim to download and install them. Because of this, they will often spread by using social engineering – that is, making use of deception in order to take advantage of inexperienced computer users. Win32/Spy.Ursnif is designed to attack computer systems with the Windows operating system. Once installed, Win32/Spy.Ursnif is designed to detect sensitive information, steal it and send it to a remote server. Criminals can use Win32/Spy.Ursnif in order to steal bank account numbers, credit card information and online account names and passwords. According to PC security researchers, Win32/Spy.Ursnif was among the top ten most common malware infections of 2011.
How Win32/Spy.Ursnif Installs Itself on a Victim’s Computer
Once Win32/Spy.Ursnif’s executable file is executed, Win32/Spy.Ursnif installs itself into a randomly-named directory in the User Profile folder. It makes changes to the Windows Registry, which ensures that Win32/Spy.Ursnif is executed each time the victim starts up Windows automatically. Win32/Spy.Ursnif will also make various changes to folders associated with common web browsers like Mozilla Firefox and Google Chrome, which allows Win32/Spy.Ursnif to carry out some of its malicious tasks. During its installation, Win32/Spy.Ursnif will collect basic information on the infected computer system, such as the version of Windows that is being used, the infected computer system’s IP address and the default web browser. While running, Win32/Spy.Ursnif will detect whenever the victim visits certain websites and then will attempt to intercept sensitive data. This data is then sent to a remote server using HTPP protocol. Win32/Spy.Ursnif also creates an exception in the Windows Firewall, allowing Win32/Spy.Ursnif to send and receive data without being blocked. Win32/Spy.Ursnif also makes changes to the Windows Registry, which allows a criminal to create a new user on the victim’s computer that will not appear in user listings. This hidden account can then be used to make dangerous changes to the victim’s computer or to install malicious software without the victim receiving any kind of notification.
How Can You Detect Win32/Spy.Ursnif?
Win32/Spy.Ursnif Removal Details
Win32/Spy.Ursnif creates the following files in the system:
- %ProgramFiles%\Mozilla Firefox\chrome\amba.jar
Win32/Spy.Ursnif creates the following registry entries:
- “nah_opt_forms” = “/f/prinimalka.py/forms”
- “nah_opt_reserv” = “220.127.116.11″
- Run “nah_Shell” = “%userprofile%\nah_%random%.exe”
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion “nah_opt_server1″ = “18.104.22.168″