Trojan:Win32/Vundo.gen!BY is a generic detection for members of the Win32/Vundo family, a multi-component family that delivers 'out-of-context pop-up advertisements'. Trojan:Win32/Vundo.gen!BY has also been observed modifying and redirecting search engine results on specified web browsers.
Installation
Trojan:Win32/Vundo.gen!BY may be installed by other malware; in the wild, we have observed the trojan being dropped by TrojanDownloader:Win32/Vundo.K.
It arrives on the computer as a DLL file that is dropped in the <system folder> with a random file name.
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The malware file name is disguised to be the same as a legitimate DLL and can be any of the following:
-
mapiclient.dll
-
imapiapi.dll
-
themespl.dll
-
commgr20.dll
Trojan:Win32/Vundo.gen!BY modifies the following registry entries to ensure that its copy executes at each Windows start:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<system folder>\<malware file name>"
With data: "<system folder><malware file name>.dll"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "LoadAppInit_DLLs"
With data: 0x00000001
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "AppInit_DLLs"
With data: "<malware file name>.dll"
It also injects itself into the following Windows processes:
-
explorer.exe
-
iexplorer.exe
-
chrome.exe
-
firefox.exe
Payload
Redirects search queries
Trojan:Win32/Vundo.gen!BY hooks on networking APIs which allows it to monitor websites the affected user accesses.
It may display advertisements from, and perform web search redirection to, the following websites:
-
lastserverstatus
<dot> com
-
avatar3d2010
<dot> com
-
searchetype
<dot> com
-
win32updater
<dot> com
-
vistanumbers
<dot> com
-
updatedfiles
<dot> com
-
win7updater
<dot> com
-
try2findall
<dot> com
-
victsecrets
<dot> com
Displays pop-up advertisements
The trojan may display pop-up advertisements in the following browsers:
-
Internet Explorer
-
Firefox
-
Opera
Downloads arbitrary files
Trojan:Win32/Vundo.gen!BY attempts to download and execute files from the following web servers to the infected computer:
-
updatedfiles.com/ myspace/out/
<arbitrary file>
-
abcchecksystem.com/ipo/out/
<arbitrary file>
Analysis by Zarestel Ferrer
