Threat Database Trojans Win32/Unruy


By GoldSparrow in Trojans

In May, Microsoft included two new malware families, known as Win32/Unruy and Win32/Dishgy, in its malware removal tool. Malware threats in the Win32/Unruy family have been active since late 2009 and became widespread in 2010. As of May of 2012, this family of malware is still active and considered to be a severe threat to an infected computer system's security. ESG security researchers strongly recommend updating your security software and Windows operating system to ensure that they are capable of detecting and removing a Win32/Unruy infection. Prevention is key when dealing with this malware infection because ESG security researchers have observed that malware in the Win32/Unruy family usually does not display overt symptoms. The Win32/Unruy family of malware is designed to remain hidden on a computer system, generating revenue for its creators via online advertisement scams.

How the Win32/Unruy Trojan Family Attacks Your Computer System

The malware infections in the Win32/Unruy family are Trojans designed to force the victim's web browser to display advertisements and that have a unique ability to click on advertisements in order to generate revenue for its creators. The Win32/Unruy family of Trojans has also been known to establish a backdoor into an infected computer system, to gather and send data to a remote host, and to download and install files hosted on an external server.

During its attack, a Win32/Unruy Trojan will first install its executable file, often in the system folder, but Win32/Unruy may also hide in your web browser's folder. ESG security researchers have noticed that executable files associated with the Win32/Unruy family of malware will often mimic legitimate, useful executables. For example, a common file name that Win32/Unruy malware uses is 'acrotray.exe' which is clearly imitating a legitimate file associated with Adobe Acrobat software named "acrotray.exe" by adding a space to the end of the file name. ESG security analysts suspect that Win32/Unruy malware has the capacity to detect executable files in the victim's computer, avoiding files in the System or Fonts folders, and then creating similarly named executable files with a space at the end. As part of its installation process, a Trojan in the Win32/Unruy family will also make changes in the Windows Registry in order to make sure that the newly-installed executable file is launched automatically when Windows starts up.

Some variants of malware in the Win32/Unruy family will also create files with EXE or COM extensions in the Windows Font folder in an attempt to ensure that this file is launched automatically when Windows starts up. As part of its series of changes to the Windows Registry, Win32/Unruy will also create a scheduled task for each hour of the day so that file is launched every hour automatically.

File System Details

Win32/Unruy may create the following file(s):
# File Name Detections
1. C:\Windows\Fonts\
2. %ProgramFiles%\Adobe\acrotray .exe
3. %ProgramFiles%\Internet Explorer\wmpscfgs.exe
4. C:\Windows\Fonts\

Registry Details

Win32/Unruy may create the following registry entry or registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run "Adobe_Reader" = ""

Related Posts


Most Viewed