Detect Date 06/28/2016
Class Trojan-Spy
Platform Win32

Trojan-Spy.Win32.Ursnif is a banking Trojan written using Microsoft Visual C++. Also known as IAP, ISFB, Gozi, Rovnix, and Papras. Information for contacting command-and-control servers is either hard-coded in the Trojan itself or generated based on the current date and system configuration. Works with 32- and 64-bit versions of Internet Explorer and Firefox, and 32-bit versions of Chrome.

Main features include:

  • Stealing user names, passwords, and personal data from web forms
  • Stealing installed certificates
  • Downloading and launching other software
  • Running a SOCKS proxy server
  • Intercepting keystrokes
  • Capturing screenshots
  • Performing web injects (when malicious content is inserted into the web pages opened by a user in a web browser)

Geographical distribution of attacks by the Trojan-Spy.Win32.Ursnif family


Geographical distribution of attacks during the period from 28 June 2015 to 28 June 2016

Top 10 countries with most attacked users (% of total attacks)

Country % of users attacked worldwide*
1 Spain 22.74
2 Poland 17.57
3 Germany 15.67
4 Russian Federation 6.71
5 Italy 5.34
6 Switzerland 3.89
7 Austria 2.96
8 USA 2.12
9 Ukraine 1.63
10 Japan 1.59

* Percentage among all unique Kaspersky users worldwide attacked by this malware

Find out the statistics of the threats spreading in your region