Win32/Spy.Ursnif

Win32/Spy.Ursnif Description

The Win32/Spy.Ursnif Trojan is a malware infection that is designed to steal its victims' personal information. The fact that this malware infection is a Trojan means that Win32/Spy.Ursnif cannot spread on its own, unlike a virus or a worm. Trojans require the victim to download and install them. Because of this, they will often spread by using social engineering – that is, making use of deception in order to take advantage of inexperienced computer users. Win32/Spy.Ursnif is designed to attack computer systems with the Windows operating system. Once installed, Win32/Spy.Ursnif is designed to detect sensitive information, steal it and send it to a remote server. Criminals can use Win32/Spy.Ursnif in order to steal bank account numbers, credit card information and online account names and passwords. According to PC security researchers, Win32/Spy.Ursnif was among the top ten most common malware infections of 2011.

How Win32/Spy.Ursnif Installs Itself on a Victim's Computer


Once Win32/Spy.Ursnif's executable file is executed, Win32/Spy.Ursnif installs itself into a randomly-named directory in the User Profile folder. It makes changes to the Windows Registry, which ensures that Win32/Spy.Ursnif is executed each time the victim starts up Windows automatically. Win32/Spy.Ursnif will also make various changes to folders associated with common web browsers like Mozilla Firefox and Google Chrome, which allows Win32/Spy.Ursnif to carry out some of its malicious tasks. During its installation, Win32/Spy.Ursnif will collect basic information on the infected computer system, such as the version of Windows that is being used, the infected computer system's IP address and the default web browser. While running, Win32/Spy.Ursnif will detect whenever the victim visits certain websites and then will attempt to intercept sensitive data. This data is then sent to a remote server using HTPP protocol. Win32/Spy.Ursnif also creates an exception in the Windows Firewall, allowing Win32/Spy.Ursnif to send and receive data without being blocked. Win32/Spy.Ursnif also makes changes to the Windows Registry, which allows a criminal to create a new user on the victim's computer that will not appear in user listings. This hidden account can then be used to make dangerous changes to the victim's computer or to install malicious software without the victim receiving any kind of notification.

Infected with Win32/Spy.Ursnif? Scan Your PC for Free

Download SpyHunter’s Spyware Scanner
to Detect Win32/Spy.Ursnif

Security Doesn't Let You Download SpyHunter or Access the Internet?


Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in 'Safe Mode with Networking' and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.

If you still can't install SpyHunter? View other possible causes of installation issues.

Technical Information

File System Details

Win32/Spy.Ursnif creates the following file(s):
# File Name
1 %ProgramFiles%\Mozilla Firefox\chrome\amba.jar

Registry Details

Win32/Spy.Ursnif creates the following registry entry or registry entries:
HKEY..\..\..\..{RegistryKeys}
"nah_opt_forms" = "/f/prinimalka.py/forms"
"nah_opt_reserv" = "78.109.23.2"
Run "nah_Shell" = "%userprofile%\nah_%random%.exe"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion "nah_opt_server1" = "78.109.23.2"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

Leave a Reply

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as-is:
What is 4 + 15 ?