TrojanDownloader:Win32/Unruy.H is a trojan that copies itself to the local drive so that it will execute at each Windows start and may send collected machine-specific information to a remote server. The trojan may also download and run arbitrary files.
Installation
TrojanDownloader:Win32/Unruy.H creates the following mutex when run:
{FA531BC1-0497-11d3-A180-3333052276C3E}
If the mutex already exists, the trojan terminates, ensuring there is only one running instance of the malware. The trojan seeks the location and file names of programs that execute from the following registry subkeys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
The trojan then targets .EXE files that do not exist in the following folders:
<system folder>
<system folder>\fonts
For each file name found, the trojan creates a backup copy of the target file by copying it as the same file name with an appended space, as in the following example:
"<original file name>.exe" => "<original file name> .exe"
The trojan is then copied as the targeted file name thus executing at each Windows start. If the trojan fails to delete the original file, it will rename it by replacing the last character of the filename extension with an underscore character. The format of the filename of the copy of the original file would be like this:
<original file name> .ex_
Payload
Sends data to a remote server
TrojanDownloader:Win32/Unruy.H checks for the presence of antivirus products and security tools by searching for process names containing the following substrings:
ad-watch
almon
alsvc
alusched
apvxdwin
ashdisp
ashmaisv
ashserv
ashwebsv
avcenter
avciman
avengine
avesvc
avgnt
avguard
avp
bdagent
bdmcon
caissdt
cavrid
cavtray
ccapp
ccetvm
cclaw
ccproxy
ccsetmgr
clamtray
clamwin
counter
dpasnt
drweb
firewalln
fsaw
fsguidll
fsm32
fspex
guardxkickoff
hsock
isafe
kav
kavpf
kpf4gui
kpf4ss
livesrv
mcage
mcdet
mcshi
mctsk
mcupd
mcupdm
mcvs
mcvss
mpeng
mpfag
mpfser
mpft
msascui
mscif
msco
msfw
mskage
msksr
msmps
mxtask
navapsvc
nip
nipsvc
njeeves
nod32krn
nod32kui
npfmsg2
npfsvice
nscsrvce
nvcoas
nvcsched
oascl
pavfnsvr
pxagent
PXAgent
pxcons
PXConsole
savadmins
savser
scfmanager
scfservice
scftray
sdhe
sndsrvc
spbbcsvc
spidernt
spiderui
spysw
sunprotect
sunserv
sunthreate
swdoct
symlcsvc
tsanti
vba32ldr
vir.exe
vrfw
vrmo
vsmon
vsserv
webproxy
webroot
winssno
wmiprv
xcommsvr
zanda
zlcli
zlh
If any of the above listed strings are discovered, the trojan could communicate its findings to a remote server potentially alerting a remote attacker about the security status of the affected computer.
This malware sends an HTTP message to a remote server IP address (such as 121.14.149.132) and receives a base64 encoded message in return. The trojan collects and sends the following information about the affected system to the remote server:
- volume serial number of the drive containing the root folder
- product ID
- computer name
- system info including processor architecture and type, number of processors, page size
Downloads arbitrary files
The trojan may attempt to download arbitrary files from the remote server. At the time of this writing, the files were unavailable but were intended to be copied to the %TEMP% folder and then executed.
Analysis by Gilou Tenebro
