Win32/TrojanDownloader.Unruy [Threat Name] go to Threat

Win32/TrojanDownloader.Unruy.AB [Threat Variant Name]

Category trojan
Size 14348 B
Aliases Backdoor.Win32.Agent.mfh (Kaspersky)
  TrojanDownloader:Win32/Unruy.A (Microsoft)
  Troj/Unruy-Gen (Sophos)
Short description

Win32/TrojanDownloader.Unruy.AB is a trojan which tries to download other malware from the Internet. The file is run-time compressed using UPX .

Installation

The trojan modifies executables referenced by the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "*" = "%path%\­%filename%.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "*" = "%path%\­%filename%.exe"

The trojan may replace these files with a copy of itself.


This causes the trojan to be executed on every system start.


It avoids files which contain any of the following strings in their path:

  • %system%
  • %fonts%

The original file is stored in the following location:

  • %path%\­%filename% .exe
Other information

The trojan quits immediately if it detects a running process containing one of the following strings in its name:

  • ad-watch
  • almon
  • alsvc
  • alusched
  • apvxdwin
  • ashdisp
  • ashmaisv
  • ashserv
  • ashwebsv
  • avcenter
  • avciman
  • avengine
  • avesvc
  • avgnt
  • avguard
  • avp
  • bdagent
  • bdmcon
  • caissdt
  • cavrid
  • cavtray
  • ccapp
  • ccetvm
  • cclaw
  • ccproxy
  • ccsetmgr
  • clamtray
  • clamwin
  • counter
  • dpasnt
  • drweb
  • firewalln
  • fsaw
  • fsguidll
  • fsm32
  • fspex
  • guardxkickoff
  • hsock
  • isafe
  • kav
  • kavpf
  • kpf4gui
  • kpf4ss
  • livesrv
  • mcage
  • mcdet
  • mcshi
  • mctsk
  • mcupd
  • mcupdm
  • mcvs
  • mcvss
  • mpeng
  • mpfag
  • mpfser
  • mpft
  • msascui
  • mscif
  • msco
  • msfw
  • mskage
  • msksr
  • msmps
  • mxtask
  • navapsvc
  • nip
  • nipsvc
  • njeeves
  • nod32krn
  • nod32kui
  • npfmsg2
  • npfsvice
  • nscsrvce
  • nvcoas
  • nvcsched
  • oascl
  • pavfnsvr
  • PXAgent
  • pxagent
  • pxcons
  • PXConsole
  • savadmins
  • savser
  • scfmanager
  • scfservice
  • scftray
  • sdhe
  • sndsrvc
  • spbbcsvc
  • spidernt
  • spiderui
  • spysw
  • sunprotect
  • sunserv
  • sunthreate
  • swdoct
  • symlcsvc
  • tsanti
  • vba32ldr
  • vir.exe
  • vrfw
  • vrmo
  • vsmon
  • vsserv
  • webproxy
  • webroot
  • winssno
  • wmiprv
  • xcommsvr
  • zanda
  • zlcli
  • zlh

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (1) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files

Please enable Javascript to ensure correct displaying of this content and refresh this page.