Home / malware TrojanDownloader:Win32/Vundo.E
First posted on 13 February 2013.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Vundo.E is also known as Backdoor/Win32.Cidox (AhnLab), Trojan.Win32.Cidox.xue (Kaspersky), TR/Kazy.117219.55 (Avira), Gen:Variant.Kazy.117219 (BitDefender), Trojan.Mayachok.18579 (Dr.Web), Win32/Citirevo.AE trojan (ESET), Virus.Win32.Vundo (Ikarus).
Explanation :
Installation
TrojanDownloader.Win32.Vundo.E may be installed by other members of the Win32/Vundo family.
It arrives as a DLL file, using different file names.
Payload
Downloads and runs arbitrary files
When run, it checks to see if it's running within a process with any of these file names:
- browser.exe
- chrome.exe
- firefox.exe
- iexplore.exe
- nichrome.exe
- opera.exe
If it is, then TrojanDownloader.Win32.Vundo.E assumes that you are browsing the Internet, and tries to connect to a remote server at the same time to avoid suspicion. If it successfully connects, TrojanDownloader.Win32.Vundo.E downloads a file in your computer. One of the servers that tries to connect to is "htglobzip.com".
It saves the downloaded file as "ru" in the Cookies folder, which is, by default, "%AppData%\Microsoft\Windows\Cookies".
It renames this file to "rua" in the same folder, and runs it. It deletes this file the next time your computer restarts.
Steals sensitive information
TrojanDownloader.Win32.Vundo.E logs sensitive information, including what version of Windows is running in your computer, into a file named "cf" in the Cookies folder. It also checks if certain antivirus programs are running, by checking if the following processes are running:
- AvastSvc.exe
- AvastUI.exe
- avgnsx.exe
- avgnt.exe
- avgrsx.exe
- avgtray.exe
- avguard.exe
- avp.exe
- avshadow.exe
- bdagent.exe
- cbmain.exe
- ccsvchst.exe
- coreServiceShell.exe
- dwengine.exe
- dwservice.exe
- ecls.exe
- egui.exe
- ekrn.exe
- Mcshield.exe
- Mctray.exe
- MsMpEng.exe
- msseces.exe
- uiSeAgnt.exe
- vba32ldr.exe
- vbaScheduler.exe
It might then send this information to a remote server, such as "htglobzip.com".
Analysis by Steven Zhou
Last update 13 February 2013