Home / malwarePDF  

TrojanDropper:Win32/Vundo.R


First posted on 13 July 2012.
Source: Microsoft

Aliases :

TrojanDropper:Win32/Vundo.R is also known as Trojan.Ponmocup!ks7rFUjB4o0 (VirusBuster), Win32/Ponmocup.AA trojan (ESET), AdWare.Win32.EoRezo (Ikarus).

Explanation :



TrojanDropper:Win32/Vundo.R is a variant of Win32/Vundo, a multiple-component family of programs that deliver "out of context" pop-up advertisements.

TrojanDropper:Win32/Vundo.R installs Adware:Win32/EoRezo, and may also download and execute arbitrary files.



Installation


In the wild, we have observed TrojanDropper:Win32/Vundo.R in the form of an executable program, with names that suggest it arrives from poisoned search engine results, for example:

  • <removed>_makefor_www.exe
  • <removed>_lucrari_licenta.exe


When TrojanDropper:Win32/Vundo.R is run, it drops the following two files on your computer:




<system folder>\<file name>.exe (for example, d3dim700o.exe) - detected as Adware:Win32/EoRezo

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

%TEMP%\~unins<random numbers>.bat (for example, ~unins6342.bat)

Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default location for the %TEMP% folder for Windows 9x, Me, NT, 2000, XP and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista and 7, the default location is "C:\Users\<user name>\AppData\Local\Temp".

The ~unins6342.bat file deletes the original trojan dropper file after it has dropped its payload.

TrojanDropper:Win32/Vundo.R creates a recurring job that causes your computer to run malware once every seven days (for example, Trojan:Win32/Vundo.gen!AV).



Payload

Installs adware

TrojanDropper:Win32/Vundo.R installs Adware:Win32/EoRezo as:

d3dim700o.exe

For more information on EoRezo, see the Adware:Win32/EoRezo entry elsewhere in the encyclopedia.

TrojanDropper:Win32/Vundo.R modifies the following registry entry to ensure the adware runs at each Windows start:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "<random>" (for example, tffo)
With data: <system folder>\<file name>.exe (for example, d3dim700o.exe)

Downloads arbitrary files

TrojanDropper:Win32/Vundo.R connects to a remote server to download a DLL (dynamic link library) file into the following location:

<system folder>\<file name>.dll (for example, wmsdmodo.dll) - detected as Trojan:Win32/Vundo.gen!AV

We have observed TrojanDropper:Win32/Vundo.R contacting the following servers in the wild:

  • somethingclosely.com
  • repliedstreets.com


The DLL, detected as Trojan:Win32/Vundo.gen!AV, is used to decrypt the payload data, which was placed on your computer during the installation of TrojanDropper:Win32/Vundo.R.

It creates the following registry key to store the encrypted data that, when decrypted, is detected as Trojan:Win32/Vundo.QB:

In subkey: HKLM\Software\<random> (for example, OAVALSGS)
Sets value: "<random>" (for example, abcmhecs)
With data: <50kb binary data>

Modifies system security settings

TrojanDropper:Win32/Vundo.R modifies the registry to open up UPnP (universal plug and play) ports in the firewall. It may do this to leave your computer in a more vulnerable state.

It deletes all System Restore points so that you cannot revert back to a previous System Restore point.

Contacts remote host

TrojanDropper:Win32/Vundo.R contacts a remote host on TCP port 80 to send information via an encrypted cookie.

It determines the IP address of the server at runtime. The rest of the server's address is then randomly created from a preset list of strings that are contained in TrojanDropper:Win32/Vundo.R, for example "hxxp://161.77.184.233/App/newsline/yisheng.php".

Additional information

In order to make analysis more difficult, the malware checks for the presence of particular virtual machine software and/or systems and will not perform its payload if they are present.

It checks that the currently logged-on user name of your computer is not one of the following:

  • currentuser
  • sandbox
  • honey
  • vmware
  • nepenthes
  • snort
  • andy
  • roo


It checks your computer's registry for "Product ID" values for the following automated analysis systems:

  • Joe Sandbox
  • GFI SandBox/CWSandbox
  • Anubis


It checks that your computer's registry doesn't contain the following entries. These entries could indicate that your computer is currently running or has run virtual machine software:

  • HKLM\Software\Microsoft\Hyper-V
  • HKLM\Software\Microsoft\VirtualMachine


It checks that the following services related to virtual machine software are not running on your computer:

  • atcp2log
  • autoruns
  • awpta
  • Capsa
  • EHSniffer
  • EtherD
  • filemon
  • geturl
  • HTTP Sniffer
  • HttpAnalyzer
  • HTTPDebugger
  • HTTPSniffer
  • HttpWatch
  • IEWebDeveloper
  • InjectWinSock
  • iptools
  • joeboxcontrol
  • joeboxserver
  • netmon
  • NETRES~1
  • NetResident
  • Network Protocol Analyzer
  • NetworkSniffer
  • procexp
  • procmon
  • regmon
  • smsniff
  • sniff_hit
  • SniffOM
  • sysAnalyzer
  • VBoxService
  • vboxtray
  • VisualSniffer
  • vmount2
  • vmsrvc
  • vmusrvc
  • vmware
  • wireshark
  • xenservice
Related encyclopedia entries

Adware:Win32/EoRezo

Trojan:Win32/Vundo.gen!AV

Trojan:Win32/Vundo.QB

Win32/Vundo



Analysis by Jaime Wong

Last update 13 July 2012

 

TOP