Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/TrojanDownloader.Unruy.CE

Aliases:Trojan-Clicker.Win32.Cycler.akmy (Kaspersky), Win32.HLLC.Asdas.16 (Dr. Web), W32/Cycler.V (Norman) 
Type of infiltration:Trojan  
Size:29702 B 
Affected platforms:Microsoft Windows 
Signature database version:5316 (20100727) 

Short description

Win32/TrojanDownloader.Unruy.CE is a trojan which tries to download other malware from the Internet.

Installation

The trojan does not create any copies of itself.

The following Registry entries are set:
  • [HKEY_CURRENT_USERSoftwareMicrosoftInternet Explorer
    Main]
    "Check_Associations" = "No"
    "IgnoreDefCheck" = "Yes"
    "DisableFirstRunCustomize" = 2
    "RunOnceComplete" = 0
    "RunOnceHasShown" = 0
  • [HKEY_CURRENT_USERSoftwareMicrosoftInternet Explorer
    Main]
    "Check_Associations" = "No"
    "IgnoreDefCheck" = "Yes"
    "DisableFirstRunCustomize" = 2
    "RunOnceComplete" = 0
    "RunOnceHasShown" = 0
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftInternet Explorer
    Main]
    "Check_Associations" = "No"
    "IgnoreDefCheck" = "Yes"
    "DisableFirstRunCustomize" = 2
    "RunOnceComplete" = 0
    "RunOnceHasShown" = 0
    "Enable Browser Extensions" = "yes"
The trojan may create the following files:
  • %programfiles%%variable%.dat
A string with variable content is used instead of %variable%.

Other information

The trojan contains a list of (3) URLs. It tries to download a file from the addresses. The HTTP protocol is used.

The file is stored in the following location:
  • %temp%ctv%variable%.exe
A string with variable content is used instead of %variable%.

The file is then executed.

It can send various information about the infected computer to an attacker.

The following information is collected:
  • computer name
  • operating system version
  • volume serial number