Trojan:Win32/Vundo.X is aĀ trojan that existsĀ as a Browser Helper Object (BHO). Win32/Vundo.XĀ falsely reports problemsĀ with the computer,Ā in order to convinceĀ users to purchaseĀ a promoted product.Ā ItĀ may connect to a remote webĀ server toĀ download updates or other arbitrary files,Ā and use stealth methods to make it difficult to remove.Ā
Installation
When Trojan:Win32/Vundo.X is installed, it may be droppedĀ withĀ a randomlyĀ generatedĀ file name. Win32/Vundo.XĀ modifies the registry toĀ load its copy at each Windows start as a BHO.
Adds value: {A95B2816-1D7E-4561-A202-68C0DE02353A}
With data: "<Win32/Vundo.X file name and path>"
To subkey:Ā HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
Adds value:Ā {11A69AE4-FBED-4832-A2BF-45AF82825583}
To subkey: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\
Ā
Adds value: {A95B2816-1D7E-4561-A202-68C0DE02353A}
To subkey: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\
Adds value: <Win32/Vundo.X file name>
With data: "<Win32/Vundo.X file name>"
To subkey:Ā HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Ā
When Win32/Vundo.X executes,Ā it may inject its code into the 'Explorer.exe' process as a means of hiding its presence in memory.
Ā
Win32/Vundo.X may also create hundreds or thousands of garbage files named "pos<hex_number>.tmp" in the followingĀ folders:
c:\
<"My Documents" folder>
Ā
This trojan may drop an encrypted file with the name formed by concatenating the malware file name and the word "box" (e.g. if the BHO file is named 'khfgged.dll' then the dropped file's nameĀ will be 'khfgged.dllbox').
Payload
Displays False Messages
Ā
Creates Shortcuts to Download unwanted Software
Win32/Vundo.X may create 2 Windows desktop shortcuts, oneĀ named "Help and Support Center" and the other shortcut named "Windows Update". The created shortcutsĀ are restored if deleted or renamed, and both link to the Web site 'storageprotector.com':
Ā 
Ā Ā 
The text and icons used in these shortcuts are suggestive, and attempt to trick the user into believingĀ they are legitimate.Ā The shortcuts direct users to a site that resembles a Windows update dialog box (displayed below):
If a user were to install the promoted update, the trojan mayĀ download and install a rogue securityĀ program known asĀ "ErrClean", currently detected as
Program:Win32/WinFixer.
Ā
Downloads Additional Programs
Win32/Vundo.X may attempt to download other programs or components from the domain 'paraplexic.com'.
Ā
Analysis by Marian Radu
