TSPY_GOZI
Ursnif, Snifula, Papras
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Spyware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
GOZI is a spyware that monitors network traffic. It also gets login credentials stored in browsers and mail applications. It has screen capture and keylogging functions. It uses a rootkit component to hide related processes, files and registry information.
TECHNICAL DETAILS
Installation
This spyware drops the following copies of itself into the affected system:
- %Windows%\9129837.exe
(Note: %Windows% is the Windows folder, which is usually C:\Windows.)
It adds the following possibly malicious files or file components:
- %Windows%\new_drv.sys
(Note: %Windows% is the Windows folder, which is usually C:\Windows.)
Autostart Technique
This spyware adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
ttool = "%Windows%\9129837.exe"
Other System Modifications
This spyware adds the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\new_drv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_NEW_DRV
It adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
InetData
k1 = "{values}"
HKEY_CURRENT_USER\Software\Microsoft\
InetData
k2 = "{values}"
HKEY_CURRENT_USER\Software\Microsoft\
InetData
version = "{version}"
Other Details
This spyware connects to the following possibly malicious URL:
- pull.{BLOCKED}rava.com
- {BLOCKED}.{BLOCKED}.93.57
- {BLOCKED}.{BLOCKED}.232.17