Severity scale:  

Remove Ursnif virus (Virus Removal Guide) - updated Sep 2020

removal by Gabriel E. Hall - - | Type: Trojans

Ursnif – dangerous Trojan used to steal sensitive data by recording users' keystrokes

 Ursnif trojan

Ursnif (also known as Gozi, ISFB, or Dreambot) is a virus that specializes in banking credentials and other information-stealing by using a variety of methods. Released in 2006, malware has seen a fair share of updates and is constantly returning with new campaigns that typically utilize malvertising (fake Adobe Flash updates) and malspam (Word or Excel documents embedded in phishing emails) for the propagation.

Once inside the system, the Ursnif virus[1] launches the malicious svchost.exe and explorer.exe processes, which are used to hide its presence on the host machine. Additionally, this modular malware starts numerous activities behind victims' backs, including the distribution of other malware.

However, the main Gozi virus activity is related to data tracking – it employs keylogging and other techniques in order to harvest information from browsers, email accounts, user configurations, as well as digital wallets. Ursnif later sends these details to the Command & Control that is accessible to the attackers only.

In 2015, the source-code of Trojan:W32/Ursnif was leaked online[2] and placed on the GitHub platform, which allowed several cybercriminal groups to modify malware in a way that would increase its capabilities. As a result, the Trojan is now widely used and is highly evasive, making it a prevalent choice within the illegal data-stealing business.

Name Ursnif, Gozi, ISFB, Dreambot
Type  Trojan, Data-stealer
Associated process Explorer.exe, iexplorer.exe, svhost.exe, click.exe
Symptoms  Information stealing malware rarely emits any symptoms, as it is designed to operate using stealth techniques. Nonetheless, some victims might notice suspicious computer behavior, such as inability to access particular sites via the web browser, system slowdowns, application/system crashes, errors, etc.
Danger level  High. Malware uses several evasion techniques, so it may remain on the system for months before it is detected, gathering sensitive information, such as financial details, account credentials, Social Security Numbers, and much more
Distribution  The main distribution method of Ursnif is spam emails boobytrapped with malicious attachments. In most cases, MS Office documents are used, although other file types were also spotted in the wild
Elimination  If your computer is connected to a network, disconnect it and then perform a full system scan with anti-malware software and remove Ursnif virus
System fix In some cases, malware can infect and damage Windows system files. As a result, users might experience stability issues, such as lag, crashes, BSODs, and errors. To fix these problems, you can use PC repair utility Reimage Reimage Cleaner Intego 

In one of the latest Gozi campaigns, threat actors were spotted delivering the payload within MS Word documents, titled as “info_[date].doc,” that are embedded with malicious macros. As soon as users press “Enable Content,” a Visual Basic code is executed, beginning the infection routine.

This variant of Ursnif was also using anti-detection techniques by injecting its Command & Control servers with a reference list of trusted companies, such as Microsoft:[3]

<…>you may notice the C&C host list includes “”, “”, “”, “”, “” and “”. This seems odd. Why are the hosts of “microsoft” and “avast” listed here? In fact, this is a way to deceive researchers who capture and analyze the traffic.

In January 2020, security researchers from FireEye have discovered a new variant of Ursnif, which was dubbed SaiGon.[4] While this version still focuses on data stealing, its capabilities include backdoor functionality (allows it to push other malware), process injection, and various evasion techniques.

Trojan:W32/Ursnif: functions and operation

This trojan is designed to record various sensitive information about the user, including banking data, logins or passwords, web browsing activity, information about the victim's OS and device. All this recorded information is additionally shared with virus developers. Ursnif keylogger can also delete itself from the system once it receives such command.

Gozi is constantly evolving, and several cybercriminal groups are working on its improvements. It started targeting various financial institutions from the beginning and recently expanded to more prominent organizations and changed distribution techniques and types of information to steal.

Ursnif virusUrsnif virus is a keystroke-collecting malware that comes to your system via infected spam emails.

Trojan:W32/Ursnif is known to use different techniques as web injecting, man-in-the-browser, or keylogging functionality. The latest attacks were based on spear-phishing emails and the fact that malware deleted copies of itself after the initial process. These facts make this banking trojan more dangerous and difficult to detect or analyze. 

Ursnif steals various data about the user personally, the device, and other account information like:

  • information from your email accounts;
  • various information from your browsers;
  • logins and passwords of your social media accounts;
  • banking website logins and passwords.

Ursnif virus changes various registry keys to keep affecting the system. People behind this threat are focusing on getting revenue from various background activities on your system or even stealing your banking credentials so get your money directly out of your bank accounts.

While there is no way to spot the infiltration of this trojan, you should note that the main way used by this malware to get into the system is spam. Gozi has been using intelligent tactics that rely on infected Word documents that are filled with malicious macros.

If you have recently been asked to enable macros to check the content of the email's attachment, we highly recommend making sure that you are not infected and that there is nothing related to Trojan:W32/Ursnif/ Gozi virus. The easiest way to do that is to scan the system with updated anti-spyware.

If you have any doubts either you have this malware on the device or not, check your system with updated anti-spyware, and perform Ursnif virus removal to save your personal information. To get rid of any viruses, use reputable anti-malware/anti-virus software.

We do not recommend performing the Trojan:W32/Ursnif removal manually as this is a dangerous cyber threat that can be related to numerous different components hidden on your computer. If you are blocked, reboot your PC to Safe Mode with networking first to disable the virus. Finally, we recommend a scan with Reimage Reimage Cleaner Intego to remediate the Windows system and avoid stability issues post-infection.

In most of the cases, antivirus programs detect the Gozi Trojan horse as:

  • TR/Crypt.XPACK.Gen
  • Trojan:W32/Ursnif
  • Virus/Win32.PolyRansom.c
  • HEUR/Fakon.mwf
  • Win32.Doboc.Gen.1
  • Troj.Heur.LP.mE18
  • etc.[5]

Virus activity may lead you to serious privacy issues or money loss, so you need to remove Ursnif virus as soon as possible. This type of cyber intruder can download and install other malware, including ransomware-type viruses, which could lead you to data loss. There is no need to keep yourself at such a risk. However, we should say one more time that you shouldn't try to delete the trojan manually as you can lead your system to serious trouble by removing needed system components.

Spam email campaigns have been spreading this virus around as legitimate attachments asking to enable macros

Researchers[6] have always been warning people that they shouldn't believe anything on the internet that looks too good to be true. That includes banner ads, in-text links, and spam emails as well.

Spam has also been a commonly used technique for trojan distribution. However,  when discussing a trojan horse, note that it relies on a slightly different distribution method. The main way used by its developers to deliver this malicious threat relies on Word documents filled with malicious macros. Once downloaded, such an attachment asks you to enable macros and launches the virus in this way.

Ursnif delivery methodsUrsnif is typically delivered via malicious spam email attachments

Other unique features about the distribution technique used by this banking trojan:

  • Compromised email accounts are used to reply to emails. The content of an email looks convincing;
  • The malicious payload is released when the user downloads the macro-filled documents. However, the Trojan waits until the attachment is closed to launch the process;
  • The safe-looking Word attachment also executes the PowerShell code. After this process, malware connects to URL and delivers the payload directly on the system;
  • The whole campaign is based on the fact that emails are sent from familiar services what increases the chances of people opening the infected file;
  • The most common pattern used to name these files is “the name of a local business or service_Statement”

You can avoid getting these intruders if you delete spam emails that are not from companies you know or services you do not use. Make sure to clean those suspicious emails from the email box more frequently and try to scan files before downloading them on the device. Pay more attention to these processes and do not open an email if you were not expecting that.

Best ways to remove Trojan:W32/Ursnif virus

When dealing with any silent intruder, anti-malware tools are the best option in virus elimination. However, trojans are one of the most dangerous cyber infections that can additionally install malware on the system. To remove Ursnif virus and all related programs from the system, run a full system scan with updated anti-spyware.

If you are blocked, check two methods given below that are supposed to help you disable the virus before a scan. You can get rid of the Trojan:W32/Ursnif infection by relying on proper anti-malware tools that possibly find and delete this threat and any other threats related to issues with your machine.

We recommend SpyHunter 5Combo Cleaner or Malwarebytes for possible Ursnif virus removal, although you can also pick a security tool of your choice. Update these programs to their latest versions and run a full system scan to check your device thoroughly and get rid of any malware hiding on your system.

You can also use the anti-virus software of your choice, just make sure that it is a reputable and well-known tool. As for the Gozi virus damage, you need to think about PC repair or optimization tools like Reimage Reimage Cleaner Intego that can fix affected files and functions for you.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove Ursnif virus, follow these steps:

Remove Ursnif using Safe Mode with Networking

Reboot your device in Safe Mode to disable Ursnif virus. Don't forget to repeat the scan when on normal mode:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Ursnif

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Ursnif removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Ursnif using System Restore

Use System restore to get rid of Ursnif virus by disabling it at first. Thoroughly check your device for malware:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Ursnif. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that Ursnif removal is performed successfully.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Ursnif and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Backup files for the later use, in case of the malware attack

Computer users can suffer various losses due to cyber infections or their own faulty doings. Software issues created by malware or direct data loss due to encryption can lead to problems with your device or permanent damage. When you have proper up-to-date backups, you can easily recover after such an incident and get back to work.

It is crucial to create updates to your backups after any changes on the device, so you can get back to the point you were working on when malware changes anything or issues with the device causes data or performance corruption. Rely on such behavior and make file backup your daily or weekly habit.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware occurs out of nowhere. Use Data Recovery Pro for the system restoring purpose.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions


Your opinion regarding Ursnif virus