This article will aid you to remove the Ursnif Trojan (Purolator phishing scam) completely. Follow the Trojan horse removal instructions given at the end of the article.
Ursnif Trojan is a banking Trojan horse that is recently being spread via a Purolator phishing scam with a message stating that you have a package. one of the most spread messages, says: Purolator have a package for you. Pop-ups that show constantly can also lock your browser on that page. E-mail campaigns are also spreading the phishing scam. You might experience redirects. The browser can be shut down without any negative impact, but in other cases your system and browser could get affected with the Ursnif Trojan. Most variants of this scam feature a background image that aims to utilize the brand and logo of Purolator shipping company.
|Name||Ursnif Trojan horse|
|Type||Trojan horse, Phishing Scam|
|Short Description||Phishing scam which is trying to take you (with click-bait and social engineering tactics) to a Purolator Phishing page that spreads the Ursnif Trojan or other viruses.|
|Symptoms||Pop-up boxes, messages, and redirects appear in your browser or such are send in your email. It is not excluded for there to be a lockscreen function among these that keeps prompting you to click a link.|
|Distribution Method||Suspicious Sites, Redirects, Email Phishing Links|
|Detection Tool|| See If Your System Has Been Affected by malware |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Ursnif Trojan horse.|
Ursnif Trojan (Purolator Phishing) Scam — Update October 2019
A recently discovered campaign distributing the Ursnif Trojan has been detected by computer specialists. This discovery shows that this malware is still being used actively by computer hacking groups, showing the possibility that it is available on the underground hacker portals and further customized by criminals. It appears that the active ongoing campaign targets primarily Italy and Canada using phishing strategies focusing on sending out email messages that will include malware files. The data in question is macro-infected documents which are either attached to the messages or embedded in the emails. The emails themselves are designed to appear as legitimate notifications or service announcements and the users are manipulated into clicking on them. The documents can be of all popular file formats, including presentations, databases, text files and spreadsheets. As soon as they are opened a prompt will appear asking the users to enable the built-in code in order to correctly vie the contents.
The execution o the macros can deliver the malware file which wll self-execute itself. An alternative is to send out double extension files which when run will start a .zip archive that includes a built-in executable. When started the infection will start a dangerous sequence which will run the following modules:
- Web Browser Interaction — The main engine associated with the Trojan can interact with the installed web browsers by accessing the contained within data and it can also modify the settings by always redirecting to a certain hacker-controlled web page.
- System Reconfiguration — The Ursnif Trojan is capable of editing out the configuration files of the operating system or any of the installed user software.
- Additional Malware Delivery — The Ursnif Trojan can be a very effective tool for deploying other viruses onto the already compromised computers.
Ursnif Trojan (Purolator Phishing) Scam – Distribution Techniques
Browsing the Web can be dangerous, especially when you reach new and unknown websites by causally browsing and they turn out to be malicious. Clicking on advertisements or targeted content could have hidden links that redirect you to dubious online places. Other websites could be filled with advertisements and redirect links and you could land on a page such as the Ursnif Trojan (Purolator Phishing) one.
Email campaigns that spread malicious links, ads, attachments and link to phishing landing pages are connected with the spread of the Purolator Phishing Scam which loads the Ursnif Trojan horse to your system. The attachments can be Microsoft Word documents with embedded VBS Macros that are malicious. The said macros run a PowerShell script, which downloads Ursnif to a compromised PC. In the above two pictures (above this paragraph and in the very beginning of the article) you can see exactly how one such email message is presented to potential victims in terms of content, which is:
Your parcel is registered with the branch of Canada Post.
You may get track number immediately with our online Track instrument PRESS HERE or digit it in your web browser http://canadacpost(.)tk/treck21413252.zip
Our tracking system is refreshed every 24 hours to provide you with the most current information available about the geographic position and status of your item.
That is one of the messages that spread via email and is seen above the last paragraph in this section of the article. If you have downloaded a .zip file that you are suspicious of, you can always check its contents for malware with ZipeZip Online Scanner. However, do not be tempted to open any links from emails especially if they look like the one discussed above or if they are sent from an unknown (unverified) source.
Ursnif Trojan (Purolator Phishing) Scam – In Greater Depth
Ursnif Trojan is being pushed by a number of Purolator phishing scam messages. The scam has a few, different landing pages, which use the brand, logo, design and fonts of Purolator, including their official site’s text and element placement. All of this is done to try to convince you into clicking somewhere and entering your credential details on a phishing page. Thus your account and profile data can get stolen and hijacked or just spoofed so they can be sold somewhere.
In the screenshot image below, you can see one of the scam pages that have a convincing message using the Purolator brand that require you to click somewhere on the page:
If you indeed click on the spot which cybercriminals wish you to click, you could get redirected to a phishing page and/or get your computer system infected with the Ursnif Trojan (Purolator Phishing) threat.
The message in the above snapshot of the current Ursnif Trojan (Purolator Phishing) scam states the following:
PUROLATOR HAVE A PACKAGE FOR YOU![Click here for your label]
HOW TO GET YOUR PACKAGE IN ONE PIECE
Please follow the steps below.
Download the Purolator Label containing your tracking number.
After downloading your label,open the label information and locate your tracking number. You may reschedule a redeliver from us or arrange a pick up from our location.
Purolator Your Shipping Solutions
All of these Ursnif Trojan (Purolator Phishing) scams could also be displayed with pop-ups as alerts around websites, applications, emails and other means. Ursnif v3 Banking Trojan has been spotted to have sophisticated targeting techniques in the past so it is no wonder that it has decided to use a phishing scam for one of Canada’s most known shipping services.
In case there is a telephone number present somewhere on the site, know that the criminals standing on the other end of the telephone line will try to trick you in giving them information related to Purolator or that is even more personal. Do not believe if they present themselves as employees in Purolator or another notable company. However, know that the Ursnif Trojan might use a silence dropper technique that could trigger by just opening the Purolator Phishing scam page.
Browsers you have installed or your computer screen can become locked and may seem like your whole screen is blocked and totally inaccessible. In such a situation, you could try clicking the “Windows” button and combinations such as “Ctrl+Alt+Del” or even the “Close” button to check if you still can interact with your computer device.
You could also get prompted to download and install a tool which might be the Ursnif Trojan or some other malware. Keep in mind that it is all part of the scam and you shouldn’t follow any instructions given on your computer screen.
If you see any similar messages, know that they aren’t coming from Purolator. Also, no matter how many pop-ups, alerts and message boxes are shown, try to remember that this is a sophisticated scam that wants to harm your computer or steal credentials, banking data or other information from you.
Ursnif Trojan (Purolator Phishing) Scam – How to Avoid?
In this section, you will find out a simple set of rules and guidelines to follow in order to prevent yourself from falling in a trap related to Ursnif Trojan (Purolator phishing) scam and other related threats. So, if you are reading this article, you should now know that there is a multitude of scams involving a Purolator shipment or parcel notifications. Below you will see what you should do.
Purolator’s official warning alert should be enough of a hint to you that there are such scams pushed time and time again. For further reference, the web address for the official Purolator website is https://www.purolator.com/en/home.page and its main page is displayed below:
As you now know about the existence of the emails involving the Ursnif Trojan (Purolator phishing) scam and the official Purolator site page, refer to the following guidelines on how to avoid most scams linked to using the shipping brand for their schemes:
- Never pay before your goods get delivered
- Do not provide any details about you, your addresses or similar information via email or unknown Websites
- Do not open email attachments, as Purolator does not send such, neither it requests users to open such
- Always use Purolator’s official website to refer to pages in connection with the service
- Avoid messages with grammatical or typographical errors
- Avoid emails that are not addressed to you by name
- Avoid messages sent by a service you don’t expect to hear from
- Avoid messages that do not include a tracking number or specific details about your order or address
- Avoid clicking on links to provide your email address for verification
- Avoid payments to someone whose identity you can’t confirm
The guideline rules listed above were constructed by the SensorsTechForum team, via a research done on the matter. These rules are based on common sense and depending on the various scams related to Purolator.
Remove Ursnif Trojan (Purolator Phishing) Scam
To remove the Ursnif Trojan (Purolator Phishing) scam and its related Trojan horse files manually from your PC, follow the step-by-step removal instructions provided below. If the manual removal guide does not get rid of the scam and its redirects completely, you should search for and remove any leftover items with an advanced anti-malware tool. Software like that will keep your system secure in the future.
- Guide 1: How to Remove Ursnif Trojan horse from Windows.
- Guide 2: Get rid of Ursnif Trojan horse from Mac OS X.
- Guide 3: Remove Ursnif Trojan horse from Google Chrome.
- Guide 4: Erase Ursnif Trojan horse from Mozilla Firefox.
- Guide 5: Uninstall Ursnif Trojan horse from Microsoft Edge.
- Guide 6: Remove Ursnif Trojan horse from Safari.
- Guide 7: Eliminate Ursnif Trojan horse from Internet Explorer.
How to Remove Ursnif Trojan horse from Windows.
Step 1: Boot Your PC In Safe Mode to isolate and remove Ursnif Trojan horse
Step 2: Uninstall Ursnif Trojan horse and related software from Windows
Here is a method in few easy steps that should be able to uninstall most programs. No matter if you are using Windows 10, 8, 7, Vista or XP, those steps will get the job done. Dragging the program or its folder to the recycle bin can be a very bad decision. If you do that, bits and pieces of the program are left behind, and that can lead to unstable work of your PC, errors with the file type associations and other unpleasant activities. The proper way to get a program off your computer is to Uninstall it.
Step 3: Clean any registries, created by Ursnif Trojan horse on your computer.
The usually targeted registries of Windows machines are the following:
You can access them by opening the Windows registry editor and deleting any values, created by Ursnif Trojan horse there. This can happen by following the steps underneath:
Get rid of Ursnif Trojan horse from Mac OS X.
Step 1: Uninstall Ursnif Trojan horse and remove related files and objects
1. Hit the ⇧+⌘+U keys to open Utilities. Another way is to click on “Go” and then click “Utilities”, like the image below shows:
- Go to Finder.
- In the search bar type the name of the app that you want to remove.
- Above the search bar change the two drop down menus to “System Files” and “Are Included” so that you can see all of the files associated with the application you want to remove. Bear in mind that some of the files may not be related to the app so be very careful which files you delete.
- If all of the files are related, hold the ⌘+A buttons to select them and then drive them to “Trash”.
In case you cannot remove Ursnif Trojan horse via Step 1 above:
In case you cannot find the virus files and objects in your Applications or other places we have shown above, you can manually look for them in the Libraries of your Mac. But before doing this, please read the disclaimer below:
You can repeat the same procedure with the following other Library directories:
Tip: ~ is there on purpose, because it leads to more LaunchAgents.
Step 2: Scan for and remove malware from your Mac
When you are facing problems on your Mac as a result of unwanted scripts, programs and malware, the recommended way of eliminating the threat is by using an anti-malware program. Combo Cleaner offers advanced security features along with other modules that will improve your Mac’s security and protect it in the future.
Remove Ursnif Trojan horse from Google Chrome.
Step 1: Start Google Chrome and open the drop menu
Step 2: Move the cursor over "Tools" and then from the extended menu choose "Extensions"
Step 3: From the opened "Extensions" menu locate the unwanted extension and click on its "Remove" button.
Step 4: After the extension is removed, restart Google Chrome by closing it from the red "X" button at the top right corner and start it again.
Erase Ursnif Trojan horse from Mozilla Firefox.
Step 1: Start Mozilla Firefox. Open the menu window
Step 2: Select the "Add-ons" icon from the menu.
Step 3: Select the unwanted extension and click "Remove"
Step 4: After the extension is removed, restart Mozilla Firefox by closing it from the red "X" button at the top right corner and start it again.
Uninstall Ursnif Trojan horse from Microsoft Edge.
Step 1: Start Edge browser.
Step 2: Open the drop menu by clicking on the icon at the top right corner.
Step 3: From the drop menu select "Extensions".
Step 4: Choose the suspected malicious extension you want to remove and then click on the gear icon.
Step 5: Remove the malicious extension by scrolling down and then clicking on Uninstall.
Remove Ursnif Trojan horse from Safari.
Step 1: Start the Safari app.
Step 2: After hovering your mouse cursor to the top of the screen, click on the Safari text to open its drop down menu.
Step 3: From the menu, click on "Preferences".
Step 4: After that, select the 'Extensions' Tab.
Step 5: Click once on the extension you want to remove.
Step 6: Click 'Uninstall'.
A pop-up window will appear asking for confirmation to uninstall the extension. Select 'Uninstall' again, and the Ursnif Trojan horse will be removed.
Eliminate Ursnif Trojan horse from Internet Explorer.
Step 1: Start Internet Explorer.
Step 2: Click on the gear icon labeled 'Tools' to open the drop menu and select 'Manage Add-ons'
Step 3: In the 'Manage Add-ons' window.
Step 4: Select the extension you want to remove and then click 'Disable'. A pop-up window will appear to inform you that you are about to disable the selected extension, and some more add-ons might be disabled as well. Leave all the boxes checked, and click 'Disable'.
Step 5: After the unwanted extension has been removed, restart Internet Explorer by closing it from the red 'X' button located at the top right corner and start it again.