Home / malwarePDF  

Win32/Unruy


First posted on 09 May 2012.
Source: Microsoft

Aliases :

There are no other names known for Win32/Unruy.

Explanation :



Win32/Unruy is a trojan that displays out of context advertisements and performs ad-clicking in order to gather revenue for its controllers. It communicates with remote hosts and may also download and execute arbitrary files in order to perform this payload. Installation

When run, the malware drops a copy of Win32/Unruy, as in one of the following examples:

  • %ProgramFiles%\Adobe\acrotray.exe
  • %ProgramFiles%\Adobe\acrotray .exe
  • %ProgramFiles%\Internet Explorer\wmpscfgs.exe


Note that a space character may exist between before the file name and the extension ".exe". Also, a legitimate file may be present from Adobe named "acrotray.exe" (without the space character).

Some variants of Win32/Unruy enumerate the following subkeys, in search of files with the extension ".exe", avoiding files that are located in either the "<system folder>" or "<system folder>\Fonts" folders:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run


For each file that matches, the trojan renames the file using the original file name with a space appended, as in the following example:
"<original file name>.exe" to "<original file name> .exe"

The trojan is then copied with the original file name in an attempt to ensure the trojan is executied at each Windows start.

Other variants of Win32/Unruy create copies of the trojan, as a randomly named file with either a .COM of .EXE file extension, into the Windows Fonts directory, for example:

  • C:\Windows\Fonts\1lEU0iGc.com
  • C:\Windows\Fonts\NUBMfm15E.com


The trojan creates 24 scheduled tasks, one for each hour of the day, to execute the trojan once an hour on every day of the week. It modifies the registry to ensure that it runs every time you start Windows, as in the following example:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "Adobe_Reader"
With data: "<Win32/Unruy path and file name>"

It may inject code into the process "svchost.exe" or "iexplore.exe". Win32/Unruy creates a unique mutex to prevent more than one copy of the malware from executing at a time, as in one of the following examples:

  • Global\wmpproc1998
  • Global\wmpinst1998
  • Global\acrobat19888
  • Global\acrobat201
  • Global\acrobat198


Payload

Communicates with a remote server

Win32/Unruy downloads configuration files from the following hosts:

  • www2.megawebfind.com
  • www2.megawebdeals.com
  • www.eurotechmods.com
  • www.streetracekingz.com
  • www.supernetforme.com
  • www.superwebbysearch.com
  • 94.75.229.139
  • 94.75.229.248
  • 122.141.86.12


The URI may have the following format:

  • <URL>\banner3.php?q=%d.%d.%d.%d.%d.%s.1.%d.%d
  • <URL>\dupe.php?q=%d.%d.%d.%d.%d.%s.1.%d


The configuration file may also contain commands to perform certain actions, such as the following:

  • Enumerate registry data within the subkey Software\Microsoft\Windows\CurrentVersion\Run
  • Schedule tasks
  • Delete files
  • Change the delay time for downloaded files


Win32/Unruy checks if any active process names match any of the names in the following list; this information may be sent to a remote host for collection by an attacker.

  • ad-watch
  • almon
  • alsvc
  • alusched
  • apvxdwin
  • ashdisp
  • ashmaisv
  • ashserv
  • ashwebsv
  • avcenter
  • avciman
  • avengine
  • avesvc
  • avgnt
  • avguard
  • avp
  • bdagent
  • bdmcon
  • caissdt
  • cavrid
  • cavtray
  • ccapp
  • ccetvm
  • cclaw
  • ccproxy
  • ccsetmgr
  • clamtray
  • clamwin
  • counter
  • dpasnt
  • drweb
  • firewalln
  • fsaw
  • fsguidll
  • fsm32
  • fspex
  • guardxkickoff
  • hsock
  • isafe
  • kav
  • kavpf
  • kpf4gui
  • kpf4ss
  • livesrv
  • mcage
  • mcdet
  • mcshi
  • mctsk
  • mcupd
  • mcupdm
  • mcvs
  • mcvss
  • mpeng
  • mpfag
  • mpfser
  • mpft
  • msascui
  • mscif
  • msco
  • msfw
  • mskage
  • msksr
  • msmps
  • mxtask
  • navapsvc
  • nip
  • nipsvc
  • njeeves
  • nod32krn
  • nod32kui
  • npfmsg2
  • npfsvice
  • nscsrvce
  • nvcoas
  • nvcsched
  • oascl
  • pavfnsvr
  • pxagent
  • PXAgent
  • pxcons
  • PXConsole
  • savadmins
  • savser
  • scfmanager
  • scfservice
  • scftray
  • sdhe
  • sndsrvc
  • spbbcsvc
  • spidernt
  • spiderui
  • spysw
  • sunprotect
  • sunserv
  • sunthreate
  • swdoct
  • symlcsvc
  • tsanti
  • vba32ldr
  • vir.exe
  • vrfw
  • vrmo
  • vsmon
  • vsserv
  • webproxy
  • webroot
  • winssno
  • wmiprv
  • xcommsvr
  • zanda
  • zlcli
  • zlh


Downloads arbitrary files

Win32/Unruy is capable of downloading files into the Windows Temporary files folder and executing them.



Analysis by Scott Molenkamp

Last update 09 May 2012

 

TOP