Win32/Unruy is a trojan that displays out of context advertisements and performs ad-clicking in order to gather revenue for its controllers. It communicates with remote hosts and may also download and execute arbitrary files in order to perform this payload.
Installation
When run, the malware drops a copy of Win32/Unruy, as in one of the following examples:
-
%ProgramFiles%\Adobe\acrotray.exe
-
%ProgramFiles%\Adobe\acrotray .exe
-
%ProgramFiles%\Internet Explorer\wmpscfgs.exe
Note that a space character may exist between before the file name and the extension ".exe". Also, a legitimate file may be present from Adobe named "acrotray.exe" (without the space character).
Some variants of Win32/Unruy enumerate the following subkeys, in search of files with the extension ".exe", avoiding files that are located in either the "<system folder>" or "<system folder>\Fonts" folders:
For each file that matches, the trojan renames the file using the original file name with a space appended, as in the following example:
"<original file name>.exe" to "<original file name> .exe"
The trojan is then copied with the original file name in an attempt to ensure the trojan is executied at each Windows start.
Other variants of Win32/Unruy create copies of the trojan, as a randomly named file with either a .COM of .EXE file extension, into the Windows Fonts directory, for example:
The trojan creates 24 scheduled tasks, one for each hour of the day, to execute the trojan once an hour on every day of the week. It modifies the registry to ensure that it runs every time you start Windows, as in the following example:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "Adobe_Reader"
With data: "<Win32/Unruy path and file name>"
It may inject code into the process "svchost.exe" or "iexplore.exe". Win32/Unruy creates a unique mutex to prevent more than one copy of the malware from executing at a time, as in one of the following examples:
-
Global\wmpproc1998
-
Global\wmpinst1998
-
Global\acrobat19888
-
Global\acrobat201
-
Global\acrobat198
Payload
Communicates with a remote server
Win32/Unruy downloads configuration files from the following hosts:
-
www2.megawebfind.com
-
www2.megawebdeals.com
-
www.eurotechmods.com
-
www.streetracekingz.com
-
www.supernetforme.com
-
www.superwebbysearch.com
-
94.75.229.139
-
94.75.229.248
-
122.141.86.12
The URI may have the following format:
The configuration file may also contain commands to perform certain actions, such as the following:
Win32/Unruy checks if any active process names match any of the names in the following list; this information may be sent to a remote host for collection by an attacker.
-
ad-watch
-
almon
-
alsvc
-
alusched
-
apvxdwin
-
ashdisp
-
ashmaisv
-
ashserv
-
ashwebsv
-
avcenter
-
avciman
-
avengine
-
avesvc
-
avgnt
-
avguard
-
avp
-
bdagent
-
bdmcon
-
caissdt
-
cavrid
-
cavtray
-
ccapp
-
ccetvm
-
cclaw
-
ccproxy
-
ccsetmgr
-
clamtray
-
clamwin
-
counter
-
dpasnt
-
drweb
-
firewalln
-
fsaw
-
fsguidll
-
fsm32
-
fspex
-
guardxkickoff
-
hsock
-
isafe
-
kav
-
kavpf
-
kpf4gui
-
kpf4ss
-
livesrv
-
mcage
-
mcdet
-
mcshi
-
mctsk
-
mcupd
-
mcupdm
-
mcvs
-
mcvss
-
mpeng
-
mpfag
-
mpfser
-
mpft
-
msascui
-
mscif
-
msco
-
msfw
-
mskage
-
msksr
-
msmps
-
mxtask
-
navapsvc
-
nip
-
nipsvc
-
njeeves
-
nod32krn
-
nod32kui
-
npfmsg2
-
npfsvice
-
nscsrvce
-
nvcoas
-
nvcsched
-
oascl
-
pavfnsvr
-
pxagent
-
PXAgent
-
pxcons
-
PXConsole
-
savadmins
-
savser
-
scfmanager
-
scfservice
-
scftray
-
sdhe
-
sndsrvc
-
spbbcsvc
-
spidernt
-
spiderui
-
spysw
-
sunprotect
-
sunserv
-
sunthreate
-
swdoct
-
symlcsvc
-
tsanti
-
vba32ldr
-
vir.exe
-
vrfw
-
vrmo
-
vsmon
-
vsserv
-
webproxy
-
webroot
-
winssno
-
wmiprv
-
xcommsvr
-
zanda
-
zlcli
-
zlh
Downloads arbitrary files
Win32/Unruy is capable of downloading files into the Windows Temporary files folder and executing them.
Analysis by Scott Molenkamp