Win32/Juny [Threat Name] go to Threat

Win32/Juny.A [Threat Variant Name]

Category trojan
Size 68096 B
Detection created Oct 20, 2005
Detection database version 1262
Aliases Virus.Win32.JuNy.b (Kaspersky)
  Juny.trojan (McAfee)
  Trojan:Win32/Juny.A (Microsoft)
  Trojan.Juny (Symantec)
Short description

Win32/Juny.A is a trojan that encrypts files on local drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

When executed, the trojan copies itself into the following location:

  • %system%\­krnlmgr.exe

The trojan creates the following file:

  • %system%\­krnlmgr.dll (10752 B, Win32/Juny.A)

The library is loaded and injected in all processes.


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Kernel Manager" = "%system%\­krnlmgr.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Kernel Manager" = "%system%\­krnlmgr.exe"

The following Registry entry is set:

  • [HKEY_CLASSES_ROOT\­exefile\­shell\­open\­command]
    • "(Default)" = "%system%\­krnlmgr.exe "%1" %*"

The trojan creates the following file:

  • %commondesktop%\­Пиздец к вам в гости!.txt
Payload information

Win32/Juny.A is a trojan that encrypts files on local drives.


The trojan searches local drives for files with the following file extensions:

  • .c2d
  • .dsk
  • .ima
  • .vdi
  • .fcd
  • .ixa
  • .gi
  • .gcd
  • .rdf
  • .rif
  • .pxi
  • .ncd
  • .VaporCD
  • .nrg
  • .dmg
  • .pdi
  • .xa
  • .md1
  • .p01
  • .xmd
  • .xmf
  • .cif
  • .tao
  • .dao
  • .cdi
  • .img
  • .ccd
  • .lcd
  • .cue
  • .bwi
  • .bwt
  • .b5i
  • .b5t
  • .ashdisc
  • .mdf
  • .mds
  • .vc4
  • .vcd
  • .iso
  • .avc
  • .vdb
  • .safe
  • .pwm
  • .kwm
  • .dmf
  • .dat
  • .cfg
  • .inf
  • .ini
  • .ppt
  • .pdf
  • .chm
  • .hlp
  • .wps
  • .url
  • .mhtml
  • .mht
  • .hta
  • .html
  • .htm
  • .dot
  • .xml
  • .rtf
  • .wri
  • .wpd
  • .xla
  • .xls
  • .doc
  • .txt
  • .sql
  • .myd
  • .pdx
  • .mda
  • .dbx
  • .mdb
  • .db
  • .lnk
  • .pif
  • .vxd
  • .386
  • .drv
  • .out
  • .flt
  • .ax
  • .cmd
  • .bat
  • .ocx
  • .dll
  • .com
  • .exe
  • .bin
  • .wsh
  • .vb
  • .js
  • .vbs
  • .lib
  • .dpr
  • .bsc
  • .obj
  • .asm
  • .pas
  • .dcu
  • .dfm
  • .csproj
  • .cs
  • .rc
  • .res
  • .cls
  • .bas
  • .prl
  • .sln
  • .vbproj
  • .vcproj
  • .dsw
  • .dsp
  • .vbp
  • .c
  • .cpp
  • .h
  • .uue
  • .uha
  • .ha
  • .pak
  • .zoo
  • .jar
  • .cab
  • .rar
  • .zip

Only following folders are searched:

  • %personal%
  • %commondocuments%
  • %desktop%
  • %commonfavorites%
  • %commondesktop%
  • %cookies%
  • %internetcache%
  • %appdata%
  • %commonappdata%
  • C:\­
  • D:\­
  • E:\­
  • F:\­
  • G:\­
  • H:\­
  • I:\­
  • J:\­
  • K:\­
  • L:\­
  • M:\­
  • N:\­
  • O:\­
  • P:\­
  • Q:\­
  • R:\­
  • S:\­
  • T:\­
  • U:\­
  • V:\­
  • W:\­
  • X:\­
  • Y:\­
  • Z:\­

It avoids drives which contain any of the following folders:

  • %windows%

The trojan encrypts the file content.


To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Other information

The trojan keeps various information in the following Registry keys:

  • [HKEY_CLASSES_ROOT\­EventSystem.EventSystem\­PrivateData]
    • "CLSID%variable1%" = %variable2%
    • "FuckedBytes" = %variable3%
    • "FuckedCount" = %variable4%

A string with variable content is used instead of %variable1-4% .


The trojan hides its running process.


The trojan displays the following dialog boxes:

Please enable Javascript to ensure correct displaying of this content and refresh this page.