Home / malware Trojan:Win32/Vundo.JD.dll
First posted on 11 May 2009.
Source: SecurityHomeAliases :
Trojan:Win32/Vundo.JD.dll is also known as Also Known As:Win32/Vundo.BJF (CA), Trojan-Spy.Win32.Agent.fcr (Kaspersky), Trojan.Vundo (Symantec), Vundo.gen.o (McAfee).
Explanation :
Trojan:Win32/Vundo.JD.dll is a component of the greater Win32/Vundo family of trojans. Win32/Vundo is a multiple-component family of programs that deliver 'out of context' pop-up advertisements. They may also download and execute arbitrary files. Win32/Vundo is often distributed as a DLL file and installed on a computer as a Browser Helper Object (BHO) without a user's consent. The Vundo family uses advanced defensive and stealth techniques to escape detection and to hinder removal. This particular component is used to download and execute arbitrary files.
Symptoms
There are no obvious symptoms that indicate the presence of this malware on an affected machine.
Trojan:Win32/Vundo.JD.dll is a component of the greater Win32/Vundo family of trojans. Win32/Vundo is a multiple-component family of programs that deliver 'out of context' pop-up advertisements. They may also download and execute arbitrary files. Win32/Vundo is often distributed as a DLL file and installed on a computer as a Browser Helper Object (BHO) without a user's consent. The Vundo family uses advanced defensive and stealth techniques to escape detection and to hinder removal. This particular component is used to download and execute arbitrary files.
Installation
Trojan:Win32/Vundo.JD.dll is installed on an affected machine as a Browser Helper Object (BHO) without a user's consent. It may be dropped in the Windows system folder with a random file name, as in the following examples:<system folder>dhfigfmu.dll <system folder>adludfba.dll <system folder> It registers itself as a BHO with a randomly generated CLSID, for example:HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{493915C6-E232-464B-8F94-1F3E028970D5}
tqolgge.dll
HKLMSoftwareClassesCLSID{493915C6-E232-464B-8F94-1F3E028970D5}InprocServer32 Trojan:Win32/Vundo.JD.dll makes further modifications to the registry to ensure that it is loaded. It modifies the following entry to ensure that it is loaded by each Microsoft Windows-based application that is running in the current log on session:Adds value: AppInit_DLLs
With data: "<system folder><Vundo.JD.dll filename>"
To subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows It modifies the following entry to load the dll at each Windows start:Adds value:<random symbols>
With data: "rundll32 "Path<Vundo.JD.dll filename>.dll", a"
To subkey:HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun The malware's dll may also be injected to %ProgramFiles%internet exploreriexplore.exe.
Payload
Downloads and Executes Arbitrary FilesTrojan:Win32/Vundo.JD.dll may attempt to connect to the following IP addresses in order to download and execute arbitrary files (possibly including additional malware):85.12.43.86
85.12.43.75
82.98.235.223
85.17.166.170Additional InformationTrojan:Win32/Vundo.JD.dll may create a mutex to ensure that only one instance of the malware runs at any time. In the wild, we have observed mutexes with the following names being used:
F7EA7058-FF87-4b08-A6D8-B0F0C2A4E185
47C0D494-C0B5-4ed7-8EB6-B8EDADF2301C
lockable_mutex70AAC06A-E8B6 Trojan:Win32/Vundo.JD.dll creates the following registry entries for its own use:HKLMSoftwareMicrosoftfias4013
HKLMSoftwareMicrosoft
dfa Please see our Win32/Vundo family analysis elsewhere in this encyclopedia for additional information on this family.
Analysis by Vitaly ZaytsevLast update 11 May 2009
