Where to Buy Trend Micro Products

For Home

For Small Business

1-888-762-8736
(M-F 8:00am-5:00pm CST)

For Enterprise

1-877-218-7353
(M-F 8:00am-5:00pm CST)

Not in the United States?
Select the country/language of your choice:

Asia Pacific Region

Europe

The Americas

Not in the United States?
Select the country/language of your choice:

Asia/Pacific

Europe

America

Login

For Home

For Business

For Partners

Threat Encyclopedia

TSPY_PAPRAS


ALIASES:

Ursnif, Snifula, Papras

PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

OVERALL RISK RATING:
REPORTED INFECTION:
SYSTEM IMPACT RATING:
INFORMATION EXPOSURE:

  • Threat Type:Spyware

  • Destructiveness:No

  • Encrypted:

  • In the wild: Yes

OVERVIEW

Infection Channel:

Downloaded from the Internet


GOZI is a spyware that monitors network traffic. It also gets login credentials stored in browsers and mail applications. It has screen capture and keylogging functions. It uses a rootkit component to hide related processes, files and registry information.

TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Connects to URLs/IPs

Installation

This spyware drops the following copies of itself into the affected system:

  • %Windows%\9129837.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

It adds the following possibly malicious files or file components:

  • %Windows%\new_drv.sys

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
ttool = "%Windows%\9129837.exe"

Other System Modifications

This spyware adds the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\new_drv

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_NEW_DRV

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
InetData
k1 = "{values}"

HKEY_CURRENT_USER\Software\Microsoft\
InetData
k2 = "{values}"

HKEY_CURRENT_USER\Software\Microsoft\
InetData
version = "{version}"

Other Details

This spyware connects to the following possibly malicious URL:

  • pull.{BLOCKED}rava.com
  • {BLOCKED}.{BLOCKED}.93.57
  • {BLOCKED}.{BLOCKED}.232.17
  • {BLOCKED}.{BLOCKED}.93.57

Featured Stories

Connect with us on