Trojan-Downloader.Win32.Vundo.jd

by alexander.adamov on November 14th, 2012 in Malware Descriptions.

Platform: Win32
Type: Downloader
Size: 214528 bytes
Packer: unknown packer
Unpacked size: ~127 Kb
Language: C++
MD5: 7e50b31fbfed1477b669d3c2902043f5
SHA1: ae4c35e8893bac5115a5fc493cbcf7d7baa09c23
Aliases : Cidox, Mayachok

Summary

Trojan-Downloader.Win32.Vundo.jd is a Trojan program which downloads other malicious programs from the Internet on the infected PC without user’s knowledge or consent. It attempts to disguise itself as "Symantec Shared Component Scanner Stub" using the file name "Navmt.exe":

The program has the following icon:

Technical Details

Payload

Once activated, the Trojan deletes the contents of the current user’s Cookies folder and empties the Temporary Internet Files folder:

%Documents and Settings%\%Current User%\Cookies\
%Documents and Settings%\%Current User%\Local Settings\Temporary Internet Files\

The Trojan then extracts a dynamic library from its body and saves it as "0105.tmp" in the following directory:

%Documents and Settings%\%Current User%\My Documents\Iterra\0105.tmp

The file is 41984 bytes in size. It is detected as Trojan-Downloader.Win32.Vundo.jd by Ad-Aware Antivirus.

MD5: a2e8d43d470a520d0bec6f113ada84bf

SHA1: 3e97d1b969b876a894b9d4e86ec244b235a00ca7

The Trojan then copies the extracted library to the Windows folder under a randomly generated name:

%System%\<rnd>.dll

where <rnd> is a sequence of Latin alphabet letters, for example, "rovzxuk".

The Trojan then injects DLL into the address space of the explorer.exe process.

If User Accounts Control (UAC) is enabled, the Trojan injects the DLL code into the address space of the svchost.exe process.

Below is information about the library:

To automatically inject the extracted library into the address space of all processes being run on the system, the Trojan adds reg-files:

%Documents and Settings%\%Current User%\My Documents\Iterra\T03emp03.reg

The Trojan then modifies the following registry values:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="%System%\<rnd2>.dll"
"LoadAppInit_DLLs"="1"

The Trojan then runs the "T03emp03.reg" file using regedit – a utility to edit the system registry:

%Windor%\regedit.exe \s %Documents and Settings%\%Current User%\My Documents\Iterra\T03emp03.reg

After successful installation, the Trojan deletes the following files:

%Documents and Settings%\%Current User%\My Documents\Iterra\0105.tmp
%Documents and Settings%\%Current User%\My Documents\Iterra\T03emp03.reg

Using the extracted dynamic library, the Trojan performs the following actions:

Connects to one of the following attacker’s servers:

getcomdes.com
detoxist.com
getinball.com
debijonda.com
veroconma.com
theloamva.com
vornedix.com
dentagod.com
liteworns.com
vengibit.com
tryangets.com
getintsu.com
getavodes.com
tryatdns.com
fescheck.com
netrovad.com
inzavora.com
terrans.su
clickstano.com
denareclick.com
clickbeta.ru
nshouse1.com
clickclans.ru
91.220.35.154

As a server response, an encrypted configuration file is received and saved as "cf" to the following directory:

%Documents and Settings%\%Current User%\Cookies\cf

Information on the infected system, including information about antivirus products installed on the system, is sent to the attacker’s server.

The Trojan searches the system for the following processes:

avp.exe
egui.exe
ekrn.exe
AvastUI.exe
AvastSvc.exe
avgnt.exe
avguard.exe
avshadow.exe
avgnsx.exe
avgrsx.exe
avgtray.exe
vba32ldr.exe
vbaScheduler.exe

If one of these processes is found, a corresponding digit is marked in the GET parameter of the response:

The Trojan controls the network traffic using "ws2_32.dll" library functions in the following browser processes:

iexplore.exe
opera.exe
firefox.exe
chrome.exe

Based on configuration data, the Trojan can perform the following actions:

  • Block access to Internet resources;
  • Download and run other malicious programs for execution;
  • Increase Internet traffic;
  • Make html injections into Internet resources visited by users to send information about the current session to the attacker’s server:

Removal Recommendations

  1. Restart the computer in safe mode (press and hold the F8 key as the computer restarts, and then select "Safe Mode" on the boot menu).
  2. Delete the original malware file (its file name and location depends on the way the Trojan originally penetrated a user’s computer).
  3. Modify the following registry key value("How to Work with System Registry"):
  4. [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    AppInit_DLLs = ""

  5. Delete the file:
  6. %System%\<rnd>.dll

  7. Clean the Temporary Internet Files folder, which contains infected files ("How to clean Temporary Internet Files folder").
  8. Run a full scan of your computer using the Antivirus program with the updated definition database ("Download Ad-Aware Free").