TrojanDownloader:Win32/Vundo.J is a trojan downloader that may download and run arbitrary files on your computer. It is a member of the Win32/Vundo family, a multiple-component family of programs that deliver "out of context" pop-up advertisements.

System changes

The following system changes may indicate the presence of this malware:

• The presence of the following registry modification:
   
  In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
  Sets value: "AppInit_DLLs"
  With data: "%SystemRoot%\system32\<random letters>.dll"
   
• The presence of the following files:
  
  A0052127.exe
  Dc13.exe
  TXT.exe

TrojanDownloader:Win32/Vundo.J is a trojan downloader that may download and run arbitrary files on your computer. It is a member of the Win32/Vundo family, a multiple-component family of programs that deliver "out of context" pop-up advertisements.

Installation

In the wild, we have observed TrojanDownloader:Win32/Vundo.J arrive on your computer with an icon and version information that differs between samples. It is an executable file with a random name, such as the following:

• A0052127.exe
• Dc13.exe
• TXT.exe

The trojan is run for the first time when you open or run the executable file.

We have observed different installations of TrojanDownloader:Win32/Vundo.J using the following version information, which will display in Windows Explorer in the Tiles view. The trojan may use these names as a form of social engineering to encourage you to open or run the file:

• Borland Remote Debugging Server
• ESET Smart Security
• Symantec Shared Component

We have also observed the trojan using the following icons which the malware authors may have copied from legitimate programs:

When first run, TrojanDownloader:Win32/Vundo.J drops a randomly named DLL file into the <system folder>. 

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, and 7 it is "C:\Windows\System32".

This DLL file is also detected as TrojanDownloader:Win32/Vundo.J.

The malware sets the DLL to be loaded into every Windows-based program every time your computer starts by making the following registry modification:

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "AppInit_DLLs"
With data: "<system folder>\<random letters>.dll"

The trojan's DLL component is then injected into the Windows process "explorer.exe" in an attempt to hinder detection and removal.

Payload

Downloads and executes arbitrary files

TrojanDownloader:Win32/Vundo.J tries to connect to a remote server, possibly to send information about your computer and to download and run arbitrary files.

In the wild, we have observed it connecting to the following servers via HTTP port 80:

• 91.233.89.106
• clickbeta.ru
• clickclans.ru
• clickstano.com
• denadb.com
• denareclick.com
• fescheck.com
• foradns.com
• getavodes.com
• instrango.com
• netrovad.com
• nshouse1.com
• nsknock.com
• tegimode.com
• terrans.su
• tryatdns.com

Note: At the time of analysis these servers were no longer accessible, so we are unable to determine the files it may attempt to download and run.

Related encyclopedia entries

Win32/Vundo

Analysis by Horea Coroiu

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

• Microsoft Security Essentials or, for Windows 8, Windows Defender
• Microsoft Safety Scanner
• Microsoft Windows Malicious Software Removal Tool