Trojan:Win32/Vundo.gen!BY is a generic detection for members of the Win32/Vundo family, a multi-component family that delivers 'out-of-context pop-up advertisements'. Trojan:Win32/Vundo.gen!BY has also been observed modifying and redirecting search engine results on specified web browsers.
Installation
Trojan:Win32/Vundo.gen!BY may be installed by other malware; in the wild, we have observed the trojan being dropped by TrojanDownloader:Win32/Vundo.K.
It arrives on the computer as a DLL file that is dropped in the <system folder> with a random file name.
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The malware file name is disguised to be the same as a legitimate DLL and can be any of the following:
- mapiclient.dll
- imapiapi.dll
- themespl.dll
- commgr20.dll
Trojan:Win32/Vundo.gen!BY modifies the following registry entries to ensure that its copy executes at each Windows start:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<system folder>\<malware file name>"
With data: "<system folder><malware file name>.dll"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "LoadAppInit_DLLs"
With data: 0x00000001
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "AppInit_DLLs"
With data: "<malware file name>.dll"
It also injects itself into the following Windows processes:
- explorer.exe
- iexplorer.exe
- chrome.exe
- firefox.exe
Payload
Redirects search queries
Trojan:Win32/Vundo.gen!BY hooks on networking APIs which allows it to monitor websites the affected user accesses.
It may display advertisements from, and perform web search redirection to, the following websites:
- lastserverstatus <dot> com
- avatar3d2010 <dot> com
- searchetype <dot> com
- win32updater <dot> com
- vistanumbers <dot> com
- updatedfiles <dot> com
- win7updater <dot> com
- try2findall <dot> com
- victsecrets <dot> com
Displays pop-up advertisements
The trojan may display pop-up advertisements in the following browsers:
- Internet Explorer
- Firefox
- Opera
Downloads arbitrary files
Trojan:Win32/Vundo.gen!BY attempts to download and execute files from the following web servers to the infected computer:
- updatedfiles.com/ myspace/out/<arbitrary file>
- abcchecksystem.com/ipo/out/<arbitrary file>
Analysis by Zarestel Ferrer
