Home / malwarePDF  

Trojan:Win32/Vundo.RU


First posted on 21 October 2013.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Vundo.RU.

Explanation :

Threat behavior

Installation

When run, Trojan:Win32/Vundo.RU copies itself into the %APPDATA% folder as exp.exe.

It changes the following registry entry to make sure its copy runs every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "~backup~"
With data: "%APPDATA%\exp.exe"

Trojan:Win32/Vundo.RU injects its entire code into all processes (except for browser processes) so that it has a persistent presence in your PC.

Payload

Stops security-related processes

Trojan:Win32/Vundo.RU stops security-related programs from running if the process name is any of the following:

  • avastsvc.exe
  • avastui.exe
  • avgnsx.exe
  • avgnt.exe
  • avgrsx.exe
  • avgtray.exe
  • avguard.exe
  • avp.exe
  • avshadow.exe
  • bdagent.exe
  • ccsvchst.exe
  • cfp.exe
  • coreserviceshell.exe
  • dwengine.exe
  • dwservice.exe
  • ecls.exe
  • egui.exe
  • ekrn.exe
  • mcshield.exe
  • mctray.exe
  • msmpeng.exe
  • msseces.exe
  • uiseagnt.exe
  • vba32ldr.exe
  • vbascheduler.exe
  • vmacthlp.exe
  • vmsrvc.exe
  • vmtoolsd.exe
  • vmusrvc.exe
  • vpcmap.exe


Displays out-of-context ads

Trojan:Win32/Vundo.RU displays ads via your browser that are often out of context. It does this by checking the Internet traffic that goes through Chrome, Firefox, Internet Explorer, or Opera, if you're using any of these browsers. Once determined, it injects code into the web pages, which displays pop-up ads

Collects information about your PC

Trojan:Win32/Vundo.RU collects information about your PC and saves it into a file named cf in the Cookies folder. It collects the following information:

  • Operating system version
  • Operating system architecture (whether your PC is 32-bit or 64-bit)
  • Whether your PC is running in a virtual or a physical environment


Downloads files

Trojan:Win32/Vundo.RU can download and run files, which might be other malware.



Analysis by Zarestel Ferrer

Symptoms

The following could indicate that you have this threat on your PC:

  • You have this file: exp.exe
  • You see this entry in your registry:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "~backup~"
    With data: "%APPDATA%\exp.exe"

Last update 21 October 2013

 

TOP

Malware :

Family: