is a member of Win32/Vundo
- a multiple component family of programs that deliver 'out of context' pop-up advertisements. They may also download and execute arbitrary files. Vundo is often distributed as a DLL file and installed on an affected computer as a Browser Helper Object (BHO) without a user's consent. This family uses advanced defensive and stealth techniques to escape detection and to hinder removal.
When executed, Trojan:Win32/Vundo.QA copies itself to c:\documents and settings\administrator\application data\netprotocol.exe.
The malware modifies the following registry entries to ensure that its copy executes at each Windows start:
Adds value: "Netprotocol"
With data: "c:\documents and settings\administrator\application data\netprotocol.exe"
To subkey: HKCU\Software\Microsoft\windows\currentversion\run
The malware creates the following files on an affected computer:
Contacts remote hosts
may contact the following remote hosts using port 80:
Commonly, malware may contact a remote host for the following purposes:
- To confirm Internet connectivity
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
This malware description was produced and published using our automated analysis system's examination of file SHA1 5aa47d1a3413c1f20c14dca92d78a4176b94a85f.