PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet

UNRUY is a group of Trojans that are usually downloaded from the Internet, particularly from websites that host malicious Java applets. It modifies an affected system's registry to enable browser extensions.

When installed onto affected systems, variants of the UNRUY malware family connect to several URLs that display intrusive and unwanted pop-up advertisements.

Apart from serving ads, this malware family also connects to URLs to download files, some of which are variants of FAKEAV. UNRUY also steals Windows product ID and system information.

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Downloads files, Steals information

Installation

This Trojan drops the following files:

  • %Windows%\Tasks\At1.job
  • %Windows%\Tasks\At2.job
  • %Windows%\Tasks\At3.job
  • %Windows%\Tasks\At4.job
  • %Windows%\Tasks\At5.job
  • %Windows%\Tasks\At6.job
  • %Windows%\Tasks\At7.job
  • %Windows%\Tasks\At8.job
  • %Windows%\Tasks\At9.job
  • %Windows%\Tasks\At10.job
  • %Windows%\Tasks\At11.job
  • %Windows%\Tasks\At12.job
  • %Windows%\Tasks\At13.job
  • %Windows%\Tasks\At14.job
  • %Windows%\Tasks\At15.job
  • %Windows%\Tasks\At16.job
  • %Windows%\Tasks\At17.job
  • %Windows%\Tasks\At18.job
  • %Windows%\Tasks\At19.job
  • %Windows%\Tasks\At20.job
  • %Windows%\Tasks\At21.job
  • %Windows%\Tasks\At22.job
  • %Windows%\Tasks\At23.job
  • %Windows%\Tasks\At24.job

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

It drops the following copies of itself into the affected system:

  • {malware path}\alcmtr.exe
  • {malware path}\rthdcpl.exe
  • %Program Files%\Adobe\acrotray.exe
  • %Program Files%\Internet Explorer\js.mui
  • %Program Files%\Internet Explorer\wmpscfgs.exe
  • %User Temp%\wmpscfgs.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Other System Modifications

This Trojan adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Winlogon
ParseAutoexec = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
Enable Browser Extensions = "yes"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Schedule
AtTaskMaxHours = "48"

Other Details

This Trojan connects to the following possibly malicious URL:

  • www.{BLOCKED}etforme.com
  • www.{BLOCKED}talkz.com
  • www2.{BLOCKED}bfind.com