Home / malwarePDF  

TrojanDownloader:Win32/Vundo.E


First posted on 13 February 2013.
Source: Microsoft

Aliases :

TrojanDownloader:Win32/Vundo.E is also known as Backdoor/Win32.Cidox (AhnLab), Trojan.Win32.Cidox.xue (Kaspersky), TR/Kazy.117219.55 (Avira), Gen:Variant.Kazy.117219 (BitDefender), Trojan.Mayachok.18579 (Dr.Web), Win32/Citirevo.AE trojan (ESET), Virus.Win32.Vundo (Ikarus).

Explanation :



Installation

TrojanDownloader.Win32.Vundo.E may be installed by other members of the Win32/Vundo family.

It arrives as a DLL file, using different file names.



Payload

Downloads and runs arbitrary files

When run, it checks to see if it's running within a process with any of these file names:

  • browser.exe
  • chrome.exe
  • firefox.exe
  • iexplore.exe
  • nichrome.exe
  • opera.exe


If it is, then TrojanDownloader.Win32.Vundo.E assumes that you are browsing the Internet, and tries to connect to a remote server at the same time to avoid suspicion. If it successfully connects, TrojanDownloader.Win32.Vundo.E downloads a file in your computer. One of the servers that tries to connect to is "htglobzip.com".

It saves the downloaded file as "ru" in the Cookies folder, which is, by default, "%AppData%\Microsoft\Windows\Cookies".

It renames this file to "rua" in the same folder, and runs it. It deletes this file the next time your computer restarts.

Steals sensitive information

TrojanDownloader.Win32.Vundo.E logs sensitive information, including what version of Windows is running in your computer, into a file named "cf" in the Cookies folder. It also checks if certain antivirus programs are running, by checking if the following processes are running:

  • AvastSvc.exe
  • AvastUI.exe
  • avgnsx.exe
  • avgnt.exe
  • avgrsx.exe
  • avgtray.exe
  • avguard.exe
  • avp.exe
  • avshadow.exe
  • bdagent.exe
  • cbmain.exe
  • ccsvchst.exe
  • coreServiceShell.exe
  • dwengine.exe
  • dwservice.exe
  • ecls.exe
  • egui.exe
  • ekrn.exe
  • Mcshield.exe
  • Mctray.exe
  • MsMpEng.exe
  • msseces.exe
  • uiSeAgnt.exe
  • vba32ldr.exe
  • vbaScheduler.exe


It might then send this information to a remote server, such as "htglobzip.com".



Analysis by Steven Zhou

Last update 13 February 2013

 

TOP