Home / malwarePDF  

TrojanDownloader:Win32/Vundo.J


First posted on 24 October 2012.
Source: Microsoft

Aliases :

TrojanDownloader:Win32/Vundo.J is also known as TR/HiolesH.A.2 (Avira), TR/Dldr.Vundo.J.379 (Avira), TR/Dldr.Vundo.J.891 (Avira), Trojan.Mayachok.17758 (Dr.Web), Trojan-Downloader.Win32.Vundo (Ikarus), Backdoor.Win32.Cidox (Ikarus), Win32/Citirevo.AC (ESET), Win32/Citirevo.AD (ESET), Dropper/Win32.Cidox (AhnLab), Backdoor/Win32.Cidox (AhnLab), Trojan/Win32.Cidox (AhnLab), W32/Vundo.CPVT (Norman), Backdoor.Win32.Cidox.azd (Kaspersky).

Explanation :



TrojanDownloader:Win32/Vundo.J is a trojan downloader that may download and run arbitrary files on your computer. It is a member of the Win32/Vundo family, a multiple-component family of programs that deliver "out of context" pop-up advertisements.



Installation

In the wild, we have observed TrojanDownloader:Win32/Vundo.J arrive on your computer with an icon and version information that differs between samples. It is an executable file with a random name, such as the following:

  • A0052127.exe
  • Dc13.exe
  • TXT.exe


The trojan is run for the first time when you open or run the executable file.

We have observed different installations of TrojanDownloader:Win32/Vundo.J using the following version information, which will display in Windows Explorer in the Tiles view. The trojan may use these names as a form of social engineering to encourage you to open or run the file:

  • Borland Remote Debugging Server
  • ESET Smart Security
  • Symantec Shared Component


We have also observed the trojan using the following icons which the malware authors may have copied from legitimate programs:



When first run, TrojanDownloader:Win32/Vundo.J drops a randomly named DLL file into the <system folder>.

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, and 7 it is "C:\Windows\System32".

This DLL file is also detected as TrojanDownloader:Win32/Vundo.J.

The malware sets the DLL to be loaded into every Windows-based program every time your computer starts by making the following registry modification:

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "AppInit_DLLs"
With data: "<system folder>\<random letters>.dll"

The trojan's DLL component is then injected into the Windows process "explorer.exe" in an attempt to hinder detection and removal.



Payload

Downloads and executes arbitrary files

TrojanDownloader:Win32/Vundo.J tries to connect to a remote server, possibly to send information about your computer and to download and run arbitrary files.

In the wild, we have observed it connecting to the following servers via HTTP port 80:

  • 91.233.89.106
  • clickbeta.ru
  • clickclans.ru
  • clickstano.com
  • denadb.com
  • denareclick.com
  • fescheck.com
  • foradns.com
  • getavodes.com
  • instrango.com
  • netrovad.com
  • nshouse1.com
  • nsknock.com
  • tegimode.com
  • terrans.su
  • tryatdns.com


Note: At the time of analysis these servers were no longer accessible, so we are unable to determine the files it may attempt to download and run.

Related encyclopedia entries

Win32/Vundo



Analysis by Horea Coroiu

Last update 24 October 2012

 

TOP

Malware :

Family: