Home / malware TrojanDownloader:Win32/Unruy.F
First posted on 01 June 2010.
Source: SecurityHomeAliases :
TrojanDownloader:Win32/Unruy.F is also known as Win-Trojan/Zbot.39424.B (AhnLab), Trojan-Clicker.Win32.Cycler.noj (Kaspersky), W32/Cycler.A (Norman), Trojan.CL.Cycler.AC (VirusBuster), Trojan horse Downloader.Generic9.ANFD (AVG), TR/Click.Cycler.nnd (Avira), Trojan.Downloader.Unruy.D (BitDefender), Win32/TrojanDownloader.Unruy.BC (ESET), Trojan-Downloader.Win32.Unruy (Ikarus), Downloader-BPA.e (McAfee), Trojan.Win32.Generic.51FA3DDB (Rising AV), Trojan-Downloader.Win32.Unruy.C (Sunbelt Software), TROJ_APPINIT.MCS (Trend Micro).
Explanation :
TrojanDownloader:Win32/Unruy.F is a trojan that downloads and executes arbitrary files, and can display advertising.
Top
TrojanDownloader:Win32/Unruy.F is a trojan that downloads and executes arbitrary files, and can display advertising. InstallationWhen executed, the trojan drops various components of itself, for example: %system32%\app_dll.dll - detected as TrojanDownloader:Win32/Unruy.G %temp%\f2257205 .exe - detected as TrojanDownloader:Win32/Unruy.F TrojanDownloader:Win32/Unruy.F creates a copy of itself in the following location: %programfiles%\Adobe\acrotray .exe The trojan then executes the abovementioned file. TrojanDownloader:Win32/Unruy.F creates the following registry entries to ensure execution of itself and its components at each Windows start : Adds value: "0x1"With data: "LoadAppInit_DLLs"To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows Adds value: "app_dll.dll"With data: "AppInit_DLLs"To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows Payload Downloads and executes arbitrary files The trojan attempts to contact a remote host in order to download configuration data, for example: www2.megawebdeals.com The configuration data can then direct the trojan to download and execute arbitrary files from a remote host. Displays advertising The configuration information can include a list of advertising Web sites, which the trojan can open in a browser window to display advertising. Provides stealth The trojan hooks the following Windows API to redirect to its own code: ZwQuerySystemInformation This enables the trojan to provide stealth for the following processes:Process names that begin with the following wmp mx Process names that contain a space character, for example: f2257205 .exe acrotray .exe Modifies computer settings The trojan also modifies the following registry entry in order to disable the use of the Registry Editor: Adds value: "DisableRegistryTools"With data: "0x1"To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Analysis by Ray RobertsLast update 01 June 2010
