Follow:

 

TrojanDropper:Win32/Vundo.L


TrojanDropper:Win32/Vundo.L is a trojan that is a member of a multi-component family of programs that deliver 'out of context' pop-up advertisements. It also drops files that are capable of downloading other malware.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

This threat may make lasting changes to a computer's configuration that are NOT restored by detecting and removing this threat. For more information on returning an infected computer to its pre-infected state, please see the following article:

Recreating a clean Hosts file: http://support.microsoft.com/kb/972034

Threat behavior

TrojanDropper:Win32/Vundo.L is a trojan that is a member of a multi-component family of programs that deliver 'out of context' pop-up advertisements. It also drops files that are capable of downloading other malware.

Installation

TrojanDropper:Win32/Vundo.L drops a copy of itself as '<startup folder>\microsoft update.exe'.

Note: <startup folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Startup folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu\Programs\Startup'. For Windows Vista and 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'.

Payload

Drops files

The trojan drops '%TEMP%\mw.exe', which is detected as Trojan:Win32/Vundo.OD. It also drops '%TEMP%\<random_number>.tmp.exe', which is detected as TrojanDownloader:Win32/Wadolin.A.

Opens a message box

TrojanDropper:Win32/Vundo.L shows a misleading message box to trick the users into believing that it failed to run because of a missing OCX file.

Changes Hosts file and its contents

The trojan makes a copy of the Windows Hosts file to '<system folder>\drivers\etc\hîsts'. Note that the second character of the file name is the extended ASCII character 'EEh'.

It then adds the following lines to the Hosts file to divert access from the Russian social networking site "vKontacte.ru" to another IP address:

vkontakte.ru = 92.38.209.252
vk.com = 92.38.209.252

TrojanDropper:Win32/Vundo.L also sets the "hidden" attribute on the Hosts file, and inserts a lot of empty lines into the Hosts file to make it look unchanged upon casual inspection.

Analysis by Horea Coroiu


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the file '<startup folder>\microsoft update.exe'
  • The Windows Hosts file contains entries such as "vkontakte.ru" and "vk.com"
  • The presence of the file 'hîsts' under '<system folder>\drivers\etc' (the second character of the file name is the extended ASCII character 'EEh')
  • The display of a message box with the title "Error" and text "Component comdlg32.ocx or one of its dependencies not correctly registered: a file is missing or invalid"


Prevention


Alert level: Severe
First detected by definition: 1.109.1028.0
Latest detected by definition: 1.175.1647.0 and higher
First detected on: Aug 03, 2011
This entry was first published on: Aug 03, 2011
This entry was updated on: Sep 14, 2011

This threat is also detected as:
  • Trojan-Downloader.Win32.Wadolin (Ikarus)
  • Infostealer.Gampass (Symantec)