TrojanDropper:Win32/Vundo.H is a trojan that installs a variant of Win32/Vundo detected as
Trojan:Win32/Vundo.gen!C. Win32/Vundo.gen!C is a generic detection for a multi-component family of programs that deliver 'out of context' pop-up advertisements to the computer on which they are installed and may download and execute arbitrary files.
Installation
This trojan may be installed by other malware. When run, it activates its Win32/Vundo installation payload.
Payload
Installs Trojan:Win32/Vundo.gen!C
When run, TrojanDropper:Win32/Vundo.H drops a file as the following:
%TEMP%\<random letters>.bat - batch script
After dropping the above mentioned files, the registry is modified to run the dropped malware at Windows start, as in the following example modifications:
Modifies value: "Time"
With data: "90 C0 4C 89 C0 CA C9 01 00 00 00 00"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings
Modifies value: "(default)"
With data: "<system folder>\hggxyofy.dll"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32
Adds value: "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Adds value: "Asynchronous"
With data: "1"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hgGxYOFY
Adds value: "(default)"
With data: "26a53dbe7b0346adac37c7b2bf52ced8&"
To subkey: HKLM\Software\Microsoft\acc0fbff
Adds value: "(default)"
With data: "8E 9D C1 89 C0 CA C9 01"
To subkey: HKCU\SOFTWARE\Microsoft\Installer
Note that the above changes will be different among installations of the trojan. After installing Win32/Vundo.gen!C, the trojan dropper executes the dropped batch script to delete the trojan dropper.
Additional Information
Analysis by Jaime Wong
