Trojan:Win32/Vundo.X is a trojan that exists as a Browser Helper Object (BHO). Win32/Vundo.X falsely reports problems with the computer, in order to convince users to purchase a promoted product. It may connect to a remote web server to download updates or other arbitrary files, and use stealth methods to make it difficult to remove.Â
Installation
When Trojan:Win32/Vundo.X is installed, it may be dropped with a randomly generated file name. Win32/Vundo.X modifies the registry to load its copy at each Windows start as a BHO.
Adds value: {A95B2816-1D7E-4561-A202-68C0DE02353A}
With data: "<Win32/Vundo.X file name and path>"
To subkey:Â HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
Adds value:Â {11A69AE4-FBED-4832-A2BF-45AF82825583}
To subkey: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\
Â
Adds value: {A95B2816-1D7E-4561-A202-68C0DE02353A}
To subkey: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\
Adds value: <Win32/Vundo.X file name>
With data: "<Win32/Vundo.X file name>"
To subkey:Â HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Â
When Win32/Vundo.X executes, it may inject its code into the 'Explorer.exe' process as a means of hiding its presence in memory.
Â
Win32/Vundo.X may also create hundreds or thousands of garbage files named "pos<hex_number>.tmp" in the following folders:
c:\
<"My Documents" folder>
Â
This trojan may drop an encrypted file with the name formed by concatenating the malware file name and the word "box" (e.g. if the BHO file is named 'khfgged.dll' then the dropped file's name will be 'khfgged.dllbox').
Payload
Displays False Messages
Â
Creates Shortcuts to Download unwanted Software
Win32/Vundo.X may create 2 Windows desktop shortcuts, one named "Help and Support Center" and the other shortcut named "Windows Update". The created shortcuts are restored if deleted or renamed, and both link to the Web site 'storageprotector.com':
 
  
The text and icons used in these shortcuts are suggestive, and attempt to trick the user into believing they are legitimate. The shortcuts direct users to a site that resembles a Windows update dialog box (displayed below):
If a user were to install the promoted update, the trojan may download and install a rogue security program known as "ErrClean", currently detected as
Program:Win32/WinFixer.
Â
Downloads Additional Programs
Win32/Vundo.X may attempt to download other programs or components from the domain 'paraplexic.com'.
Â
Analysis by Marian Radu
