by alexander.adamov on November 14th, 2012 in Malware Descriptions.

Platform: Win32
Type: Downloader
Size: 214528 bytes
Packer: unknown packer
Unpacked size: ~127 Kb
Language: C++
MD5: 7e50b31fbfed1477b669d3c2902043f5
SHA1: ae4c35e8893bac5115a5fc493cbcf7d7baa09c23
Aliases : Cidox, Mayachok


Trojan-Downloader.Win32.Vundo.jd is a Trojan program which downloads other malicious programs from the Internet on the infected PC without user’s knowledge or consent. It attempts to disguise itself as "Symantec Shared Component Scanner Stub" using the file name "Navmt.exe":

The program has the following icon:

Technical Details


Once activated, the Trojan deletes the contents of the current user’s Cookies folder and empties the Temporary Internet Files folder:

%Documents and Settings%\%Current User%\Cookies\
%Documents and Settings%\%Current User%\Local Settings\Temporary Internet Files\

The Trojan then extracts a dynamic library from its body and saves it as "0105.tmp" in the following directory:

%Documents and Settings%\%Current User%\My Documents\Iterra\0105.tmp

The file is 41984 bytes in size. It is detected as Trojan-Downloader.Win32.Vundo.jd by Ad-Aware Antivirus.

MD5: a2e8d43d470a520d0bec6f113ada84bf

SHA1: 3e97d1b969b876a894b9d4e86ec244b235a00ca7

The Trojan then copies the extracted library to the Windows folder under a randomly generated name:


where <rnd> is a sequence of Latin alphabet letters, for example, "rovzxuk".

The Trojan then injects DLL into the address space of the explorer.exe process.

If User Accounts Control (UAC) is enabled, the Trojan injects the DLL code into the address space of the svchost.exe process.

Below is information about the library:

To automatically inject the extracted library into the address space of all processes being run on the system, the Trojan adds reg-files:

%Documents and Settings%\%Current User%\My Documents\Iterra\T03emp03.reg

The Trojan then modifies the following registry values:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows]

The Trojan then runs the "T03emp03.reg" file using regedit – a utility to edit the system registry:

%Windor%\regedit.exe \s %Documents and Settings%\%Current User%\My Documents\Iterra\T03emp03.reg

After successful installation, the Trojan deletes the following files:

%Documents and Settings%\%Current User%\My Documents\Iterra\0105.tmp
%Documents and Settings%\%Current User%\My Documents\Iterra\T03emp03.reg

Using the extracted dynamic library, the Trojan performs the following actions:

Connects to one of the following attacker’s servers:

As a server response, an encrypted configuration file is received and saved as "cf" to the following directory:

%Documents and Settings%\%Current User%\Cookies\cf

Information on the infected system, including information about antivirus products installed on the system, is sent to the attacker’s server.

The Trojan searches the system for the following processes:


If one of these processes is found, a corresponding digit is marked in the GET parameter of the response:

The Trojan controls the network traffic using "ws2_32.dll" library functions in the following browser processes:


Based on configuration data, the Trojan can perform the following actions:

  • Block access to Internet resources;
  • Download and run other malicious programs for execution;
  • Increase Internet traffic;
  • Make html injections into Internet resources visited by users to send information about the current session to the attacker’s server:

Removal Recommendations

  1. Restart the computer in safe mode (press and hold the F8 key as the computer restarts, and then select "Safe Mode" on the boot menu).
  2. Delete the original malware file (its file name and location depends on the way the Trojan originally penetrated a user’s computer).
  3. Modify the following registry key value("How to Work with System Registry"):
  4. [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    AppInit_DLLs = ""

  5. Delete the file:
  6. %System%\<rnd>.dll

  7. Clean the Temporary Internet Files folder, which contains infected files ("How to clean Temporary Internet Files folder").
  8. Run a full scan of your computer using the Antivirus program with the updated definition database ("Download Ad-Aware Free").