TrojanDownloader:Win32/Unruy.D

Installation

When run, the malware drops a copy of TrojanDownloader:Win32/Unruy.D, as in one of the following examples:

• %ProgramFiles%\Adobe\acrotray.exe
• %ProgramFiles%\Adobe\acrotray .exe
• %ProgramFiles%\Internet Explorer\wmpscfgs.exe

Note that a space character may exist between before the file name and the extension ".exe". Also, a legitimate file may be present from Adobe named "acrotray.exe" (without the space character).  
TrojanDownloader:Win32/Unruy.D creates the following registry entry to ensure that its copy executes every time you start Windows, as in the following example:
 
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "Adobe_Reader"
With data: "%ProgramFiles%\Adobe\acrotray .exe"
 
It also injects code into the "svchost.exe" process. TrojanDownloader:Win32/Unruy.D creates a unique mutex to prevent more than one copy of the malware from executing at a time, as in one of the following examples:

• Global\wmpproc1998
• Global\wmpinst1998
• Global\acrobat19888
• Global\acrobat201
• Global\acrobat198

Payload

Communicates with a remote server

TrojanDownloader:Win32/Unruy.D pings the following IP address:

• 192.185.238.31

If the IP cannot be reached, the trojan deletes itself. It downloads configuration files from the following URLs:

• www2.megawebfind.com
• www2.megawebdeals.com
• www.eurotechmods.com
• www.streetracekingz.com
• www.supernetforme.com
• www.superwebbysearch.com
• 94.75.229.139
• 94.75.229.248
• 122.141.86.12

The configuration file may have the following format:

• <URL>\banner3.php?q=%d.%d.%d.%d.%d.%s.1.%d.%d
• <URL>\dupe.php?q=%d.%d.%d.%d.%d.%s.1.%d

The configuration file may also contain commands to perform certain actions, such as the following:

• Enumerate registry data within the subkey Software\Microsoft\Windows\CurrentVersion\Run
• Schedule tasks
• Delete files
• Change the delay time for downloaded files

TrojanDownloader:Win32/Unruy.D checks if any active process names match any of the names in the following list; this information may be sent to a remote host for collection by an attacker.

• ad-watch
• almon
• alsvc
• alusched
• apvxdwin
• ashdisp
• ashmaisv
• ashserv
• ashwebsv
• avcenter
• avciman
• avengine
• avesvc
• avgnt
• avguard
• avp
• bdagent
• bdmcon
• caissdt
• cavrid
• cavtray
• ccapp
• ccetvm
• cclaw
• ccproxy
• ccsetmgr
• clamtray
• clamwin
• counter
• dpasnt
• drweb
• firewalln
• fsaw
• fsguidll
• fsm32
• fspex
• guardxkickoff
• hsock
• isafe
• kav
• kavpf
• kpf4gui
• kpf4ss
• livesrv
• mcage
• mcdet
• mcshi
• mctsk
• mcupd
• mcupdm
• mcvs
• mcvss
• mpeng
• mpfag
• mpfser
• mpft
• msascui
• mscif
• msco
• msfw
• mskage
• msksr
• msmps
• mxtask
• navapsvc
• nip
• nipsvc
• njeeves
• nod32krn
• nod32kui
• npfmsg2
• npfsvice
• nscsrvce
• nvcoas
• nvcsched
• oascl
• pavfnsvr
• pxagent
• PXAgent
• pxcons
• PXConsole
• savadmins
• savser
• scfmanager
• scfservice
• scftray
• sdhe
• sndsrvc
• spbbcsvc
• spidernt
• spiderui
• spysw
• sunprotect
• sunserv
• sunthreate
• swdoct
• symlcsvc
• tsanti
• vba32ldr
• vir.exe
• vrfw
• vrmo
• vsmon
• vsserv
• webproxy
• webroot
• winssno
• wmiprv
• xcommsvr
• zanda
• zlcli
• zlh

Downloads arbitrary files

TrojanDownloader:Win32/Unruy.D is capable of downloading files into the Windows Temporary files folder and executing them.

Analysis by Francis Allan Tan Seng & Scott Molenkamp