How to Prevent and Remove the Backdoor.Win32.Runagry

Bookmark and Share

 

1. What is the Backdoor.Win32.Runagry

Backdoor.Win32.Runagry.CN is a Backdoor. This is a security risk and you should remove this threat immediately. Otherwise it may cause data loss or other misbehavior including performance degradation. It is highly recommended that you run Solo antivirus to remove this Backdoor.Win32.Runagry.CN along with any other Viruses, Trojans, Worms, Adware, Spyware, Rootkits, and Malicious software.


 

2.Technical Details:

 

a. The following files were created in the system:

# Filename(s) File Size
1 c:\tshow5498.bat 211 bytes
2 %System%\CatRoot\udukm.exe
[file and pathname of the sample #1] 		122,880 bytes
3 %System%\ReinstallBackups\0000\DriverFiles\wmapsrv.exe 219,136 bytes
  • Note:
    • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

b. Memory Modifications

  • There was a new process created in the system:

Process Name Process Filename Main Module Size
udukm.exe %System%\catroot\udukm.exe 126,976 bytes
wmapsrv.exe %System%\reinstallbackups\0000\driverfiles\wmapsrv.exe 229,376 bytes

c.  Registry Modifications

  • The following Registry Key was created:

    • HKEY_CURRENT_USER\Software\Microsoft\aa40eea

  • The newly created Registry Values are:

    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
      • udukm = ""%System%\catroot\udukm.exe""
      • wmapsrv = ""%System%\reinstallbackups\0000\driverfiles\wmapsrv.exe""
      • urwo[1] = ""%InternetCache%\content.ie5\ctmjkpar\urwo[1].exe""

      so that udukm.exe runs every time Windows starts
      so that wmapsrv.exe runs every time Windows starts
       
    • [HKEY_CURRENT_USER\Software\Microsoft\aa40eea]
      • i01 = "8A35FF81EE8F674B68CA75A1369B98C89D1857A98B7FFC6486AFA49D7EC9CA6AB51F5989EE191816E7F248A54FA539C19A195390A69A9833ECC68C89501BB515895EB40BE34F209A92D04134AB3875AA6DD1C414DDBCA749755F2CB2A1FF0C719023AC619D95424AA51C993BDA79C294"
      • lid = "886B93C487CF665C7AB94D4500000000"
      • dlver = "D53D93C7B7D031152BD817D297A5DFAD"
      • date = "1216"
      • Rcount = 0x00000001

d. Other details

  • There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host Port Number
69.59.137.237 80
69.59.138.148 80
74.125.227.17 80
74.125.227.18 80

  • The data identified by the following URLs was then requested from the remote web server:

    • http://pds.adncommerce.com/ld.php?of=0&cd=ad02
    • http://pds.adncommerce.com/jmoy.php?npic=ad02
    • http://pds.adncommerce.com/umoy.php?npic=ad02
    • http://pds.adncommerce.com/inmes.php
    • http://pds.adncommerce.com/urwo.exe
    • http://pds.adncommerce.com/ld.php?of=2&cd=ad02&remain=A
    • http://pds.adncommerce.com/bmoy.php
    • http://ptn.adcreativecp.com/sc.php?cpid=lficon
    • http://www.google.com/

 

3. How-to's

a. How to prevent the  Backdoor.Win32.Runagry ?

Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

b. How to Remove the Backdoor.Win32.Runagry Manually?

Step 1 : Use Windows Task Manager to Remove Backdoor.Win32.Runagry Processes

udukm.exe
wmapsrv.exe


Step 2 : Use Registry Editor to Remove Backdoor.Win32.Runagry Registry Values

HKEY_CURRENT_USER\Software\Microsoft\aa40eea

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
udukm = ""%System%\catroot\udukm.exe""
wmapsrv = ""%System%\reinstallbackups\0000\driverfiles\wmapsrv.exe""
urwo[1] = ""%InternetCache%\content.ie5\ctmjkpar\urwo[1].exe""
 

Step3: Detect and Delete Other Backdoor.Win32.Runagry Files

c:\tshow5498.bat
%System%\CatRoot\udukm.exe
[file and pathname of the sample #1]
%System%\ReinstallBackups\0000\DriverFiles\wmapsrv.exe
 

c. How to Remove these trojans Instantly?

Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

 

4. Appendix

For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm