Home / malware TrojanDownloader:Win32/Unruy.D
First posted on 08 June 2010.
Source: SecurityHomeAliases :
TrojanDownloader:Win32/Unruy.D is also known as Trojan-Clicker.Win32.Cycler.ajnr (Kaspersky), Trojan.CL.Cycler.BY (VirusBuster), TR/Click.Cycler.ajnr.2 (Avira), Win32/TrojanDownloader.Unruy.BP (ESET), Trojan-Clicker.Win32.Cycler (Ikarus).
Explanation :
TrojanDownloader:Win32/Unruy.D is a trojan that is capable of connecting to certain remote servers to download and execute arbitrary files. It can also delete files, schedule tasks, and perform other actions. Depending on the computer's Internet Explorer settings, TrojanDownloader:Win32/Unruy.D may also disable third-party browser extensions and BHOs from running.
Top
TrojanDownloader:Win32/Unruy.D is a trojan that is capable of connecting to certain remote servers to download and execute arbitrary files. It can also delete files, schedule tasks, and perform other actions. Depending on the computer's Internet Explorer settings, TrojanDownloader:Win32/Unruy.D may also disable third-party browser extensions and BHOs from running. Installation TrojanDownloader:Win32/Unruy.D drops the following copy:%ProgramFiles%\Adobe\acrotray .exe Note that a space character exists between before the file extension ".exe". Also, a legitimate file exists from Adobe named "acrotray.exe" (without the space character). TrojanDownloader:Win32/Unruy.D creates the following registry entry to ensure that its copy executes every time Windows starts: Adds value: "Adobe_Reader" With data: "%ProgramFiles%\Adobe\acrotray .exe" In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run It also injects code into the "svchost.exe" process. TrojanDownloader:Win32/Unruy.D creates the following mutexes:Global\wmpproc1998 Global\acrobat201 Global\acrobat198 It logs all its actions in the following file:C:\Temp\log.txt Payload Modifies Internet Explorer settings TrojanDownloader:Win32/Unruy.D sets Internet Explorer so that third-party browser extensions and Browser Helper Extensions (BHOs) are disabled: Creates value: "Enable Browser Extensions" With data: "no" In subkey: HKLM\Software\Microsoft\Internet Explorer\Main Connects to a remote server TrojanDownloader:Win32/Unruy.D pings the following IP address: 192.185.238.31 If the IP cannot be reached then it deletes itself. It also downloads configuration files from the following URLs: www2.megawebfind.com www2.megawebdeals.com 94.75.229.139 The configuration file may have the following format: <URL>\banner3.php?q=%d.%d.%d.%d.%d.%s.1.%d.%d <URL>\dupe.php?q=%d.%d.%d.%d.%d.%s.1.%d The configuration file may also contain commands to perform certain actions, such as the following: Enumerate the entries under the Software\Microsoft\Windows\CurrentVersion\Run key Schedule tasks Delete files Change the delay time for downloads Downloads arbitrary files TrojanDownloader:Win32/Unruy.D is capable of downloading and executing arbitrary files in the Windows Temporary Files folder.
Analysis by Francis Allan Tan SengLast update 08 June 2010
