Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

Threat Type: Backdoor
Destructiveness: No
In the wild: Yes
Downloaded from the Internet
RUNAGRY is a backdoor containing typical backdoor capabilities like downloading arbitrary files and executing remote shell command. However, it focuses on advertisements for profit by installing browser helper objects (BHOs). BHOs are commonly used by adware. With this, users may experience unwanted pop-up advertisements and URL redirections.
This backdoor executes commands from a remote malicious user, effectively compromising the affected system.
It connects to certain websites to send and receive information.
Connects to URLs/IPs, Steals information
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
{Default} = "{Malware Path and File name}"
{Default} = "{Malware Path and File name}"
Other System Modifications
This backdoor adds the following registry keys:
It adds the following registry entries:
lld = "{Date of Infection}"
Backdoor Routine
This backdoor executes the following commands from a remote malicious user:
- Access sites or redirect to other sites
- Delete Browser Helper Object (BHO)
- Download and execute arbitrary files
- Extract files
- Manage files/directories
- Perform shell command
- Register Browser Helper Object (BHO)
Information Theft
This backdoor injects itself into the following web browsers to monitor searches made by the user on the following search engines:
- http://kr.altavista.com/web/results?
- http://kr.search.yahoo.com/search?
- http://kr.yahoo.com
- http://search.11st.co.kr/searchprdaction.tmall?
- http://search.daum.net/search?
- http://search.msn.co.kr/results.aspx?
- http://sp3.yousee.com
- http://www.daum.net
- http://www.google.co.kr/search?
- http://www.microsoft.com
Other Details
This backdoor connects to the following website to send and receive information:
- http://stop.{BLOCKED}denerror.com/log{number}.php?cpid={value}
- http://stop.{BLOCKED}denerror.com/gnome.php?cpid={value}
- http://404.{BLOCKED}ebsitedatabase.com/gnome.php?cpid={value}
- http://{BLOCKED}0.com