Trojan:Win32/Vundo.gen!BA is a trojan that injects its code into running processes and downloads and executes arbitrary files, which may include additional malware.
Installation
Upon execution, Trojan:Win32/Vundo.gen!BA creates the following mutexes:
It then copies itself to the Windows system folder using the following file name format:
- __c00<5 random characters>.dat
- __a00<5 random characters>.exe
Below are examples of file names used by this trojan:
<system folder>\__c0096700.dat
<system folder>\__A00F17C1D.exe
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It then modifies the system registry so that the dropped trojan copy is run every time Windows starts:
Adds value: "AppInit_DLLs"
With data: "<system folder>\<malware name>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Adds value: "<malware name without the underscores>"
With data: "<system folder>\<malware name>"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
where <malware name> is one of the dropped copies of this trojan.
For example:
Adds value: "AppInit_DLLs"
With data: "<system folder>\__A00F17C1D.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Adds value: "A00F17C1D.exe "
With data: "<system folder>\__A00F17C1D.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
It also creates the following subkey:
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\<malware name>
where <malware name> is the filename of the dropped trojan copy without the extension, for example:
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\__c0096700
It also creates the following registry keys and entries so that the dropped trojan copy is installed as a Winlogon notification package:
Adds value: "Asynchronous"
With data: "0x00000001"
To subkey: HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\<malware name>
Adds value: "DllName"
With data: "<system folder>\<malware name>"
To subkey: HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\<malware name>
Adds value: "Impersonate"
With data: "0x00000000"
To subkey: HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\<malware name>
Adds value: "Startup"
With data: "B"
To subkey: HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\<malware name>
Adds value: "Logon"
With data: "B"
To subkey: HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\<malware name>
It also creates remote threads in the following system processes:
- services.exe
- explorer.exe
- msmsgs.exe
- dllhost.exe
Payload
Downloads Arbitrary Files
Trojan:Win32/Vundo.gen!BA attempts to download files from the following web servers:
- 85.17.143.213
- x1.theactionshow.com
Analysis by Vitaly Zaytsev
