TrojanDropper:Win32/Vundo.J is a trojan that stops certain antimalware processes. It injects code into certain processes and may also display pop-up advertisements.
Installation
Upon execution, TrojanDropper:Win32/Vundo.J drops a hidden DLL file with a random file name in the Windows system folder. This file is also detected as TrojanDropper:Win32/Vundo.J.
It creates the following registry subkeys to enable it to automatically run every time Windows starts:
Adds value: "<random string 1>sys"
With data: "rundll32.exe "<malware file name>.dll",s"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "<random string 2>sys"
With data: "rundll32.exe "<malware file name>.dll",s"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
For example:
Adds value: "byyyxysyssys"
With data: "rundll32.exe "opmlih.dll",s"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "pmkjkjsyssys"
With data: "rundll32.exe "opmlih.dll",s"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
It then creates a mutex with the following name:
- Global\<random number> (for example, "Global\7780029")
TrojanDropper:Win32/Vundo.J then loads its dropped file by running the following command:
- rundll32.exe "<system folder>\<malware file name>.dll",s
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Payload
Stops certain security programs
TrojanDropper:Win32/Vundo.J may attempt to stop the following programs, if they are currently running:
- Malicious Software Removal Tool (MSRT)
- Windows Defender
- Malware Bytes
Injects code into processes
TrojanDropper:Win32/Vundo.J may try to inject code into the following processes:
explorer.exe
firefox.exe
iexplore.exe
chrome.exe
opera.exe
csrss.exe
lsass.exe
Displays pop-up advertisements
TrojanDropper:Win32/Vundo.J may try to contact the following domain to display pop-up advertisements on the infected computer:
Analysis by Andrei Florin Saygo
