Home / malware TrojanDownloader:Win32/Unruy.G
First posted on 01 June 2010.
Source: SecurityHomeAliases :
TrojanDownloader:Win32/Unruy.G is also known as Win-Trojan/Unruy.90624 (AhnLab), Trojan.Win32.FraudPack.apul (Kaspersky), Unruy.K (Norman), Trojan.FraudPack.ACMO (VirusBuster), Trojan horse Generic17.AXFY (AVG), TR/FraudPack.apul (Avira), Trojan.Generic.3602389 (BitDefender), Win32/Unruy.T (CA), Trojan.Siggen.59885 (Dr.Web), Win32/TrojanDownloader.Unruy.BL (ESET), Trojan.Win32.FakeAV (Ikarus), Generic Downloader.ab (McAfee), Adware/XPSecurityTool (Panda), Trojan.Win32.Generic!BT (Sunbelt Software), W32.Unruy.A (Sunbelt Software), TROJ_UNRUY.AG (Trend Micro) more.
Explanation :
TrojanDownloader:Win32/Unruy.G is a trojan that downloads and executes arbitrary files and can display advertising.
Top
TrojanDownloader:Win32/Unruy.G is a trojan that downloads and executes arbitrary files and can display advertising. InstallationWhen executed, the trojan drops various components of itself, for example: %system32%\app_dll.dll - detected as TrojanDownloader:Win32/Unruy.G %temp%\f2257205 .exe - detected as TrojanDownloader:Win32/Unruy.F Payload Downloads and executes arbitrary files The trojan attempts to contact a remote host in order to download configuration data, for example: www2.megawebdeals.com The configuration data can then direct the trojan to download and execute arbitrary files from a remote host. Displays advertising The configuration information can include a list of advertising websites, which the trojan can open in a browser window to display advertising. Provides stealth The trojan hooks the following Windows API to redirect to its own code: ZwQuerySystemInformation This enables the trojan to provide stealth for the following processes:Process names that begin with the following wmp mx Process names that contain a space character, for example: f2257205 .exe acrotray .exe
Analysis by Ray RobertsLast update 01 June 2010
