Trojan-Spy.Win32.Ursnif

Parent class: TrojWare

Trojans are malicious programs that perform actions which are not authorized by the user: they delete, block, modify or copy data, and they disrupt the performance of computers or computer networks. Unlike viruses and worms, the threats that fall into this category are unable to make copies of themselves or self-replicate. Trojans are classified according to the type of action they perform on an infected computer.

Class: Trojan-Spy

Trojan-Spy programs are used to spy on a user’s actions (to track data entered by keyboard, make screen shots, retrieve a list of running applications, etc.) The harvested information is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request) and other methods can be used to transmit the data.

Read more

Platform: Win32

Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.

Description

Trojan-Spy.Win32.Ursnif is a banking Trojan written using Microsoft Visual C++. Also known as IAP, ISFB, Gozi, Rovnix, and Papras. Information for contacting command-and-control servers is either hard-coded in the Trojan itself or generated based on the current date and system configuration. Works with 32- and 64-bit versions of Internet Explorer and Firefox, and 32-bit versions of Chrome. Main features include:

• Stealing user names, passwords, and personal data from web forms
• Stealing installed certificates
• Downloading and launching other software
• Running a SOCKS proxy server
• Intercepting keystrokes
• Capturing screenshots
• Performing web injects (when malicious content is inserted into the web pages opened by a user in a web browser)

Top 10 countries with most attacked users (% of total attacks)

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com