Home / malware TrojanDropper:Win32/Vundo.L
First posted on 15 September 2011.
Source: SecurityHomeAliases :
TrojanDropper:Win32/Vundo.L is also known as Trojan-Downloader.Win32.Wadolin (Ikarus), Infostealer.Gampass (Symantec).
Explanation :
TrojanDropper:Win32/Vundo.L is a trojan that is a member of a multi-component family of programs that deliver 'out of context' pop-up advertisements. It also drops files that are capable of downloading other malware.
Top
TrojanDropper:Win32/Vundo.L is a trojan that is a member of a multi-component family of programs that deliver 'out of context' pop-up advertisements. It also drops files that are capable of downloading other malware.
Installation
TrojanDropper:Win32/Vundo.L drops a copy of itself as '<startup folder>\microsoft update.exe'.
Note: <startup folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Startup folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu\Programs\Startup'. For Windows Vista and 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'.
Payload
Drops files
The trojan drops '%TEMP%\mw.exe', which is detected as Trojan:Win32/Vundo.OD. It also drops '%TEMP%\<random_number>.tmp.exe', which is detected as TrojanDownloader:Win32/Wadolin.A.
Opens a message box
TrojanDropper:Win32/Vundo.L shows a misleading message box to trick the users into believing that it failed to run because of a missing OCX file.
Changes Hosts file and its contents
The trojan makes a copy of the Windows Hosts file to '<system folder>\drivers\etc\hîsts'. Note that the second character of the file name is the extended ASCII character 'EEh'.
It then adds the following lines to the Hosts file to divert access from the Russian social networking site "vKontacte.ru" to another IP address:
vkontakte.ru = 92.38.209.252
vk.com = 92.38.209.252
TrojanDropper:Win32/Vundo.L also sets the "hidden" attribute on the Hosts file, and inserts a lot of empty lines into the Hosts file to make it look unchanged upon casual inspection.
Analysis by Horea Coroiu
Last update 15 September 2011