Home / malware Trojan:Win32/Unihorn.A
First posted on 29 June 2010.
Source: SecurityHomeAliases :
Trojan:Win32/Unihorn.A is also known as TR/Crypt.XPACK.Gen (Avira), Trojan.Generic.3555338 (BitDefender), Trojan.DownLoad1.44890 (Dr.Web), Generic.dx!syc (McAfee).
Explanation :
Trojan:Win32/Unihorn.A is a trojan component that registers itself as a service and connects to predefined Web sites.
Top
Trojan:Win32/Unihorn.A is a trojan component that registers itself as a service and connects to predefined Web sites. Installation Trojan:Win32/Unihorn.A may be present as the following files: netsphlpr.dll NetPrint.exe Smss.exe Csrns.exe Cryptbase.dll When executed, Trojan:Win32/Unihorn.A creates the following mutex to ensure only one instance of itself is running in memory: unikorn-v<random 3 digits>-<random characters> It may create or modify the following registry entries, in effect installing its components: Adds the following subkeys: HKLM\SYSTEM\CurrentControlSet\Services\unikorn HKLM\SYSTEM\CurrentControlSet\Services\unikorn\Parameters HKLM\SYSTEM\CurrentControlSet\Services\unikorn\Security Adds value: "ImagePath" With data: "%systemroot%\system32\svchost.exe -k netsvcs" Adds value: "Type" With data: "0x00000020" Adds value: "Start" With data: "0x00000002" Adds value: "DisplayName" With data: "SpoolHelper Service" To subkey: HKLM\SYSTEM\CurrentControlSet\Services\unikorn Adds value: "ServiceDll" With data: "<Malware File>" To subkey: HKLM\SYSTEM\CurrentControlSet\Services\unikorn\Parameters Modifies value: "netsvcs" With data: "6to4" To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\svchost Payload Connects to Web site Trojan:Win32/Unihorn.A attempts to connect to a predefined Web site using TCP port 443. In the wild, this trojan has been observed to attempt to connect to the following URLs: update1337.com image-palace.com intelupdate.mn updatesrvx.net 92.241.190.121
Analysis by Wei LiLast update 29 June 2010
