Trojan:Win32/Vundo.gen!AW

Trojan:Win32/Vundo.gen!AW is the generic detection for components of Win32/Vundo - a multiple-component family of programs that deliver 'out of context' pop-up advertisements. They may also download and execute arbitrary files.

Win32/Vundo is often distributed as a DLL file and installed on an affected computer as a Browser Helper Object (BHO) without a user's consent. This family uses advanced defensive and stealth techniques to escape detection and to hinder removal.

For more information, please see the Win32/Vundo analysis elsewhere in the Microsoft Malware Protection Center encyclopedia.

Installation

When executed, Trojan:Win32/Vundo.gen!AW usually copies itself as the following file:

• %AppData%\netprotocol.exe

It creates the following registry entry to ensure that its copy executes at each Windows start:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Netprotocol"
With data: "%AppData%\netprotocol.exe"

It also creates the following registry entry as part of its installation process:

In subkey: HKLM\SOFTWARE\Microsoft\Netprotocol
Sets value: "UniqueNum"
With data: "<number>"

For example:

In subkey: HKLM\SOFTWARE\Microsoft\Netprotocol
Sets value: "UniqueNum"
With data: "5084571747328449280"

Payload

Downloads arbitrary files
Trojan:Win32/Vundo.gen!AW may contact several websites to download additional files. In the wild, here are some of the sites that it has been observed to connect to:

• lenewser.com
• pannesto.com
• krexjdsamdx.com
• kasjchseuk.com
• aberran.com
• tiffall.com
• halverd.net
• snowbel.com

Analysis by Elda Dimakiling