TSPY_URSNIF.LS

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It reads its configuration file that contains commands and data to be sent to a remote server. It connects to a website to send and receive information.

It deletes the initially executed copy of itself.

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following copies of itself into the affected system and executes them:

• %Application Data%\{8 character string}\{8 character string}.exe

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops and executes the following files:

• %User Temp%\{random folder name}\{random filename}.bat ← use to delete itself; deleted afterwards

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Local\{GUID}

It injects codes into the following process(es):

• explorer.exe
• opera.exe
• chrome.exe
• iexplore.exe
• firefox.exe

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{8 character string} = "%Application Data%\{8 character string}\{8 character string}.exe"

Other System Modifications

This spyware adds the following registry keys:

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}\
Vars

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}\
Files

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}\
Run

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}\
Config

It adds the following registry entries:

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}
{Value Name} = "{hex value}"

where {Value Name} may any of the following:
• Install
• Client
• LastTask
• Exec
• CrHook
• OpHook
• Keys
• Ini

Backdoor Routine

This spyware reads its configuration file that contains commands and data to be sent to a remote server.

It connects to the following websites to send and receive information:

• http://{BLOCKED}a.ru/images/{random path}.{gif/jpeg}
• http://{BLOCKED}ka.ru/images/{random path}.{gif/jpeg}
• http://{BLOCKED}ka399.ru/images/{random path}.{gif/jpeg}

Dropping Routine

This spyware drops the following file(s), into which it saves gathered information:

• %User Temp%\{random filename}.bin

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Information Theft

This spyware gathers the following data:

• Computer Name
• Digital Certificates
• Cookies
• Keyboard Logs
• Clipboard Logs
• Captured Screenshot
• Email Credentials
• Running processes and services
• Installed device drivers
• Installed Programs
• System Information (Please see notes for more details)

Stolen Information

This spyware sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}a.ru/images/{random path}.bmp
• http://{BLOCKED}ka.ru/images/{random path}.bmp
• http://{BLOCKED}ka399.ru/images/{random path}.bmp

Other Details

This spyware does the following:

• Download and Execute file
• Save stolen information in a file and then upload it
• Monitor Internet browsing activities
• Hook APIs of target process
• Disable SPDY protocol in Mozilla Firefox
• Executes commands to gather information:
  • systeminfo.exe
  • tasklist.exe /SVC
  • driverquery.exe
  • reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
• Uninstall itself

It deletes the initially executed copy of itself

NOTES:

The variable {8 character string} are combinations of first four characters of the file name of a DLL file and last four characters of another DLL file in the Windows system folder.

The file systeminfo.exe returns the following system information:

• BIOS version
• Boot Device
• Domain
• Host Name
• Hotfix(s)
• Logon server
• Network card(s)
• Original install date
• OS name, version, manufacturer, Configuration and Build Type
• Page file locations
• Processor(s)
• Product ID
• Registered owner and organization
• System and Input Locale
• System manufacturer, model and type
• System Up Time
• Time zone
• Total and available memory
• Virtual memory information (Max, Available, In Use)
• Windows and Windows system folders