Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/TrojanDownloader.Unruy.AB

Aliases:Backdoor.Win32.Agent.mfh (Kaspersky), TrojanDownloader:Win32/Unruy.A (Microsoft), Troj/Unruy-Gen (Sophos) 
Type of infiltration:Trojan  
Size:14348 B 
Affected platforms:Microsoft Windows 
Signature database version:4308 (20090805) 

Short description

Win32/TrojanDownloader.Unruy.AB is a trojan which tries to download other malware from the Internet. The file is run-time compressed using UPX.

Installation

The trojan modifies executables referenced by the following Registry entry:
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Run]
    "*" = "%path%%filename%.exe"
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
    Run]
    "*" = "%path%%filename%.exe"
The trojan may replace these files with a copy of itself.

This causes the trojan to be executed on every system start.

It avoids files which contain any of the following strings in their path:
  • %system%
  • %fonts%
The original file is stored in the following location:
  • %path%%filename% .exe

Other information

The trojan quits immediately if it detects a running process containing one of the following strings in its name:
  • ad-watch
  • almon
  • alsvc
  • alusched
  • apvxdwin
  • ashdisp
  • ad-watch
  • almon
  • alsvc
  • alusched
  • apvxdwin
  • ashdisp
  • ashmaisv
  • ashserv
  • ashwebsv
  • avcenter
  • avciman
  • avengine
  • avesvc
  • avgnt
  • avguard
  • avp
  • bdagent
  • bdmcon
  • caissdt
  • cavrid
  • cavtray
  • ccapp
  • ccetvm
  • cclaw
  • ccproxy
  • ccsetmgr
  • clamtray
  • clamwin
  • counter
  • dpasnt
  • drweb
  • firewalln
  • fsaw
  • fsguidll
  • fsm32
  • fspex
  • guardxkickoff
  • hsock
  • isafe
  • kav
  • kavpf
  • kpf4gui
  • kpf4ss
  • livesrv
  • mcage
  • mcdet
  • mcshi
  • mctsk
  • mcupd
  • mcupdm
  • mcvs
  • mcvss
  • mpeng
  • mpfag
  • mpfser
  • mpft
  • msascui
  • mscif
  • msco
  • msfw
  • mskage
  • msksr
  • msmps
  • mxtask
  • navapsvc
  • nip
  • nipsvc
  • njeeves
  • nod32krn
  • nod32kui
  • npfmsg2
  • npfsvice
  • nscsrvce
  • nvcoas
  • nvcsched
  • oascl
  • pavfnsvr
  • PXAgent
  • pxagent
  • pxcons
  • PXConsole
  • savadmins
  • savser
  • scfmanager
  • scfservice
  • scftray
  • sdhe
  • sndsrvc
  • spbbcsvc
  • spidernt
  • spiderui
  • spysw
  • sunprotect
  • sunserv
  • sunthreate
  • swdoct
  • symlcsvc
  • tsanti
  • vba32ldr
  • vir.exe
  • vrfw
  • vrmo
  • vsmon
  • vsserv
  • webproxy
  • webroot
  • winssno
  • wmiprv
  • xcommsvr
  • zanda
  • zlcli
  • zlh
The trojan is sent data and commands from a remote computer or the Internet.

The trojan contains a list of (1) URLs. The HTTP protocol is used.

It can execute the following operations:
  • download files from a remote computer and/or Internet
  • run executable files