Win32/TrojanDownloader.Unruy [Threat Name] go to Threat
Win32/TrojanDownloader.Unruy.AA [Threat Variant Name]
Category | trojan |
Size | 29200 B |
Aliases | Trojan.Win32.Buzus.ddrm (Kaspersky) |
VirTool:Win32/CeeInject.gen!J (Microsoft) | |
BackDoor-DOQ (McAfee) |
Short description
Win32/TrojanDownloader.Unruy.AA is a trojan which tries to download other malware from the Internet.
Installation
The trojan modifies executables referenced by the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "*" = "%path%\%filename%.exe"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "*" = "%path%\%filename%.exe"
The trojan may replace these files with a copy of itself.
This causes the trojan to be executed on every system start.
It avoids files which contain any of the following strings in their path:
- %system%
- %fonts%
The original file is stored in the following location:
- %path%\%filename% .exe
Other information
The trojan quits immediately if it detects a running process containing one of the following strings in its name:
- ad-watch
- almon
- alsvc
- alusched
- apvxdwin
- ashdisp
- ashmaisv
- ashserv
- ashwebsv
- avcenter
- avciman
- avengine
- avesvc
- avgnt
- avguard
- avp
- bdagent
- bdmcon
- caissdt
- cavrid
- cavtray
- ccapp
- ccetvm
- cclaw
- ccproxy
- ccsetmgr
- clamtray
- clamwin
- counter
- dpasnt
- drweb
- firewalln
- fsaw
- fsguidll
- fsm32
- fspex
- guardxkickoff
- hsock
- isafe
- kav
- kavpf
- kpf4gui
- kpf4ss
- livesrv
- mcage
- mcdet
- mcshi
- mctsk
- mcupd
- mcupdm
- mcvs
- mcvss
- mpeng
- mpfag
- mpfser
- mpft
- msascui
- mscif
- msco
- msfw
- mskage
- msksr
- msmps
- mxtask
- navapsvc
- nip
- nipsvc
- njeeves
- nod32krn
- nod32kui
- npfmsg2
- npfsvice
- nscsrvce
- nvcoas
- nvcsched
- oascl
- pavfnsvr
- PXAgent
- pxagent
- pxcons
- PXConsole
- savadmins
- savser
- scfmanager
- scfservice
- scftray
- sdhe
- sndsrvc
- spbbcsvc
- spidernt
- spiderui
- spysw
- sunprotect
- sunserv
- sunthreate
- swdoct
- symlcsvc
- tsanti
- vba32ldr
- vir.exe
- vrfw
- vrmo
- vsmon
- vsserv
- webproxy
- webroot
- winssno
- wmiprv
- xcommsvr
- zanda
- zlcli
- zlh
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (1) URLs. The HTTP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files