Follow:

 

TrojanDownloader:Win32/Vundo.HIY


TrojanDownloader:Win32/Vundo.HIY is a component of Win32/Vundo - a multiple-component family of programs that deliver 'out of context' pop-up advertisements. TrojanDownloader:Win32/Vundo.HIY also downloads and executes arbitrary files.


What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:
 
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

TrojanDownloader:Win32/Vundo.HIY is a component of Win32/Vundo - a multiple-component family of programs that deliver 'out of context' pop-up advertisements. TrojanDownloader:Win32/Vundo.HIY also downloads and executes arbitrary files.
Installation
When executed, TrojanDownloader:Win32/Vundo.HIY modifies the registry to execute its copy at each Windows start:
 
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Sets value "AppInit_DLLs"
With data  "<system folder>\<file_name>"
 
where <file_name> is the file name of TrojanDownloader:Win32/Vundo.HIY; usually it is a DLL with a random name.
Payload
Downloads and executes arbitrary files
TrojanDownloader:Win32/Vundo.HIY connects to remote hosts to download and execute arbitrary files on the affected system.
 
Analysis by Chun Feng

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.

Prevention


Alert level: Severe
First detected by definition: 1.99.1391.0
Latest detected by definition: 1.205.789.0 and higher
First detected on: Mar 17, 2011
This entry was first published on: Mar 28, 2011
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Trojan.Win32.Zapchast.fbg (Kaspersky)
  • Trojan.Zapchast!iwS7nezY200 (VirusBuster)
  • Trojan horse Generic21.ATOA (AVG)
  • TR/Zapchast.fbg (Avira)
  • Trojan.Generic.5615089 (BitDefender)
  • Trojan.Loader.576 (Dr.Web)
  • Trojan.Win32.Zapchast (Ikarus)