1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: W32.Unruy Activity

System Infected: W32.Unruy Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects W32.Unruy activity.

Additional Information

When executed, the virus creates the following mutex to ensure that it is the only copy of the threat running on the compromised computer:
{FA531BC1-0497-11d3-A180-3333052276C3E}

It then searches registry entries under the following subkeys:

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


The virus copies all .exe files referenced under the above subkeys as the following files:
%DriveLetter%\[PATH TO FILE]\[ORIGINAL FILE NAME][1 SPACE].exe

The virus then ends processes containing the following strings:

* ad-watch
* almon
* alsvc
* alusched
* apvxdwin
* ashdisp
* ashmaisv
* ashserv
* ashwebsv
* avcenter
* avciman
* avengine
* avesvc
* avgnt
* avguard
* avp
* bdagent
* bdmcon
* caissdt
* cavrid
* cavtray
* ccapp
* ccetvm
* cclaw
* ccproxy
* ccsetmgr
* clamtray
* clamwin
* counter
* dpasnt
* drweb
* firewalln
* fsaw
* fsguidll
* fsm32
* fspex
* guardxkickoff
* hsock
* isafe
* isafe
* kav
* kavpf
* kpf4gui
* kpf4ss
* livesrv
* mcage
* mcdet
* mcshi
* mctsk
* mcupd
* mcupdm
* mcvs
* mcvss
* mpeng
* mpfag
* mpfser
* mpft
* msascui
* mscif
* msco
* msfw
* mskage
* msksr
* msmps
* msmsgs
* mxtask
* navapsvc
* nip
* nipsvc
* njeeves
* nod32krn
* nod32kui
* npfmsg2
* npfsvice
* nscsrvce
* nvcoas
* nvcsched
* oascl
* pavfnsvr
* PXAgent
* pxagent
* pxcons
* PXConsole
* savadmins
* savser
* scfmanager
* scfservice
* scftray
* sdhe
* sndsrvc
* spbbcsvc
* spidernt
* spiderui
* spysw
* sunprotect
* sunserv
* sunthreate
* swdoct
* symlcsvc
* tsanti
* vba32ldr
* vir.exe
* vrfw
* vrmo
* vsmon
* vsserv
* webproxy
* webroot
* winssno
* wmiprv
* xcommsvr
* zanda
* zlcli
* zlh

For all of the above files, the virus copies itself as the following file so that it runs every time Windows starts:
%DriveLetter%\[PATH TO FILE]\[ORIGINAL FILE NAME].exe


The virus then connects to the following URL:
[http://]216.94.32.105

It may then open a back door to allow a remote attacker to perform the following actions on the compromised computer:

* Perform commands
* Download and execute files

Affected

  • Windows XP, Windows NT, Windows Server 2003, Windows 2000

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Rename executable files renamed by the virus.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube