Home / malwarePDF  

TrojanDropper:Win32/Vundo.L


First posted on 15 September 2011.
Source: SecurityHome

Aliases :

TrojanDropper:Win32/Vundo.L is also known as Trojan-Downloader.Win32.Wadolin (Ikarus), Infostealer.Gampass (Symantec).

Explanation :

TrojanDropper:Win32/Vundo.L is a trojan that is a member of a multi-component family of programs that deliver 'out of context' pop-up advertisements. It also drops files that are capable of downloading other malware.


Top

TrojanDropper:Win32/Vundo.L is a trojan that is a member of a multi-component family of programs that deliver 'out of context' pop-up advertisements. It also drops files that are capable of downloading other malware.



Installation

TrojanDropper:Win32/Vundo.L drops a copy of itself as '<startup folder>\microsoft update.exe'.

Note: <startup folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Startup folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu\Programs\Startup'. For Windows Vista and 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'.



Payload

Drops files

The trojan drops '%TEMP%\mw.exe', which is detected as Trojan:Win32/Vundo.OD. It also drops '%TEMP%\<random_number>.tmp.exe', which is detected as TrojanDownloader:Win32/Wadolin.A.

Opens a message box

TrojanDropper:Win32/Vundo.L shows a misleading message box to trick the users into believing that it failed to run because of a missing OCX file.



Changes Hosts file and its contents

The trojan makes a copy of the Windows Hosts file to '<system folder>\drivers\etc\hîsts'. Note that the second character of the file name is the extended ASCII character 'EEh'.

It then adds the following lines to the Hosts file to divert access from the Russian social networking site "vKontacte.ru" to another IP address:

vkontakte.ru = 92.38.209.252
vk.com = 92.38.209.252

TrojanDropper:Win32/Vundo.L also sets the "hidden" attribute on the Hosts file, and inserts a lot of empty lines into the Hosts file to make it look unchanged upon casual inspection.



Analysis by Horea Coroiu

Last update 15 September 2011

 

TOP