Follow:

You have been re-routed to the TrojanDownloader:Win32/Vundo.J write up because TrojanDownloader%3aWin32%2fVundo.J has been renamed to TrojanDownloader:Win32/Vundo.J
 

TrojanDownloader:Win32/Vundo.J


Microsoft security software detects and removes this threat.

This trojan downloader can download and run files on your computer.

It is a member of the Win32/Vundo family that deliver out-of-context pop-up advertisements.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Threat behavior

Installation

We have seen TrojanDownloader:Win32/Vundo.J arrive on your computer with an icon and version information that differs between samples. It is an executable file with a random name, such as the following:

  • A0052127.exe
  • Dc13.exe
  • TXT.exe

The trojan is run for the first time when you open or run the executable file.

We have observed different installations of TrojanDownloader:Win32/Vundo.J using the following version information, which will display in Windows Explorer in the Tiles view. The trojan may use these names as a form of social engineering to encourage you to open or run the file:

  • Borland Remote Debugging Server
  • ESET Smart Security
  • Symantec Shared Component

We have also observed the trojan using the following icons which the malware authors may have copied from legitimate programs:

When first run, TrojanDownloader:Win32/Vundo.J drops a randomly named DLL file into the <system folder>

This DLL file is also detected as TrojanDownloader:Win32/Vundo.J.

The malware sets the DLL to be loaded into every Windows-based program every time your computer starts by making the following registry modification:

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "AppInit_DLLs"
With data: "<system folder>\<random letters>.dll"

The trojan's DLL component is then injected into the Windows process "explorer.exe" in an attempt to hinder detection and removal.

Payload

Downloads and runs files

TrojanDownloader:Win32/Vundo.J tries to connect to a remote server, possibly to send information about your computer and to download and run files.

In the wild, we have observed it connecting to the following servers via HTTP port 80:

  • 91.233.89.106
  • clickbeta.ru
  • clickclans.ru
  • clickstano.com
  • denadb.com
  • denareclick.com
  • fescheck.com
  • foradns.com
  • getavodes.com
  • instrango.com
  • netrovad.com
  • nshouse1.com
  • nsknock.com
  • tegimode.com
  • terrans.su
  • tryatdns.com

At the time of analysis these servers were no longer accessible, so we were unable to determine the files it downloads and runs.

Related encyclopedia entries

Win32/Vundo

Analysis by Horea Coroiu


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following registry modification:
     
    In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
    Sets value: "AppInit_DLLs"
    With data: "%SystemRoot%\system32\<random letters>.dll"
     
  • The presence of the following files:

    A0052127.exe
    Dc13.exe
    TXT.exe

Prevention


Alert level: Severe
First detected by definition: 1.95.3310.0
Latest detected by definition: 1.177.402.0 and higher
First detected on: Jan 05, 2011
This entry was first published on: Jan 05, 2011
This entry was updated on: Aug 16, 2013

This threat is also detected as:
  • TR/HiolesH.A.2 (Avira)
  • TR/Dldr.Vundo.J.379 (Avira)
  • TR/Dldr.Vundo.J.891 (Avira)
  • Trojan.Mayachok.17758 (Dr.Web)
  • Trojan-Downloader.Win32.Vundo (Ikarus)
  • Backdoor.Win32.Cidox (Ikarus)
  • Win32/Citirevo.AC (ESET)
  • Win32/Citirevo.AD (ESET)
  • Dropper/Win32.Cidox (AhnLab)
  • Backdoor/Win32.Cidox (AhnLab)
  • Trojan/Win32.Cidox (AhnLab)
  • W32/Vundo.CPVT (Norman)
  • Backdoor.Win32.Cidox.azd (Kaspersky)