W32.Unruy.A


Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 02 Apr 2009
Damage: Low

Characteristics: The W32.Unruy application opens backdoor on the compromised computer. When executed, this virus creates a mutex to make sure that its the only replica of threat that runs on the computer that is compromised.

More details about W32.Unruy.A

Once the W32.Unruy.A was performed, it finds for the entries of the registry to a specific subkey. The virus replicates all of the files that have .exe extension. After replicating these files, the virus will then replicate itself so that in case the windows will start, the virus will run at the same time. The virus also ends the processes that contains strings such as ashmaisv, ashserv, avengine, apvxdwin, avcenter, avguard, bdmcon, firewalln, guardxkickoff, isafe, kpf4gui, counter ashdisp, drweb, fsaw, ad-watch, almon, avciman, bdagent, caissdt, cavrid, cavtray, ashwebsv, avgnt, ccapp, ccetvm, cclaw, alusched, avp, clamtray, fspex, isafe, kavpf, ccsetmgr, mcdet, kpf4ss, fsguidll, clamwin, mcupd, hsock, mcshi, dpasnt, livesrv, mcage, nod32kui, msmsgs, navapsvc, mcupdm, avesvc, mpfser, msascui, mcvss, mctsk, alsvc, mscif, msfw, ccproxy, msmps, npfmsg2, etc.

The additional strings that the viruses use s to end the processes are the mskage, mpfag, mpeng, fsm32, nod32krn, nvcoas, Pxagent, PXAgent, mcvs, nvcsched, mxtask, PXConsole, Scfmanager, spiderui, spysw, sunthreate, sunserv, symlcsvc, npfsvice, kav, njeeves, vir.exe, Scftray,spidernt, swdoct, nscsrvce, xcommsvr, vba32ldr, Savadmins, oascl, zlh, winssno, vsmon, webproxy, tsanti, Sdhe, pavfnsvr, mpft, Scfservice, zlcli, vrmo, Pxcons, zanda, wmiprv, webroot, Spbbcsvc, nip, msco, Savser, sunprotect, vrfw, msksr, vsserv, and Sndsrvc. The virus will then conncet to the [http://]216.94.32.105 URL. The virus may unlock the back door wherein it allows the remote attacker to execute the computer that was compromised and makes some actions such as it Downloads and then executes the files, and also it executes the commands.