TSPY_URSNIF.DC

This spyware arrives as a file that exports the functions of other malware/grayware. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It arrives as a component bundled with malware/grayware packages.

It executes commands from a remote malicious user, effectively compromising the affected system. However, as of this writing, the said sites are inaccessible.

It modifies the Internet Explorer Zone Settings.

It attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

It sends the information it gathers to remote users via HTTP Post.

It requires its main component to successfully perform its intended routine.

Arrival Details

This spyware arrives as a file that exports the functions of other malware/grayware.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It arrives as a component bundled with malware/grayware packages.

Installation

This spyware adds the following mutexes to ensure that only one of its copies runs at any one time:

• {GUID}

It injects itself into the following processes as part of its memory residency routine:

• Explorer.exe

Other System Modifications

This spyware adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
NoProtectedModeBanner = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\3
2500 = 3

HKEY_CURRENT_USER\Software\AppDataLow\
{b40c9685-9620-52ff-8952-cda6a35487c8}
k1 = {random number}

HKEY_CURRENT_USER\Software\AppDataLow\
{b40c9685-9620-52ff-8952-cda6a35487c8}
k2 = {random number}

HKEY_CURRENT_USER\Software\AppDataLow\
{b40c9685-9620-52ff-8952-cda6a35487c8}
Version = 28

Backdoor Routine

This spyware executes the following commands from a remote malicious user:

• Archive and upload files
• Capture screenshot
• Update/Download a configuration file
• Download and Execute other files
• Start and Stop a SOCKS proxy
• Reboot the affected system
• Clear cookies
• Steal certificates and cookies
• Retrieve log file with the stolen information
• List running process

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}zna.com.tw
• {BLOCKED}i.com.tw
• {BLOCKED}.{BLOCKED}.146.103
• {BLOCKED}.{BLOCKED}.56.242
• {BLOCKED}.{BLOCKED}.47.173

However, as of this writing, the said sites are inaccessible.

Web Browser Home Page and Search Page Modification

This spyware modifies the Internet Explorer Zone Settings.

Information Theft

This spyware attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

It injects itself into the following web browsers to monitor searches made by the user on the following search engines:

• Chrome
• Firefox
• Internet Explorer
• Safari
• Opera

Drop Points

This spyware sends the information it gathers to remote users via HTTP Post.

Other Details

This spyware requires its main component to successfully perform its intended routine.