Trojan:Win32/Vundo.HIT installs itself as a Browser Helper Object (BHO), and connects to the Internet without user consent. This trojan may also terminate specific security services, and download additional malware to the computer.
Installation
Trojan:Win32/Vundo.HIT is installed by another executable. The installer program creates a dynamic link library (DLL) with a randomly generated file name in the Windows system folder, and also modifies the registry to load the DLL whenever a Web browser application is launched.
The trojan installer may create the following registry keys (for example):
HKEY_CURRENT_USER\SOFTWARE\Microsoft\zxc5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dccea3ba
Trojan:Win32/Vundo.HIT may make further modifications to the registry, as illustrated in the examples below (note that specific Class IDs, keys, values and data/file names will differ among variants and specific instances).
Trojan:Win32/Vundo.HIT creates one of these keys within the subkey HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FA8BE6D5-40E0-48B8-B317-18A4A590918A}\InprocServer32\<value> = "<system folder>\<random file name>.dll"
It installs itself as a BHO by adding the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FA8BE6D5-40E0-48B8-B317-18A4A590918A}
It also adds the following registry entries to ensure automatic execution upon explorer and winlogon starup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ {FA8BE6D5-40E0-48B8-B317-18A4A590918A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\winlogon\Notify\<random file name>\DllName = "<random file name>.dll"
The trojan may also make another change where the DLL is loaded by each running process. All the DLLs that are specified in this value are loaded by each Microsoft Windows-based application that is running in the current log on session:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs = "<system folder>\<random file name>.dll"
It creates the mutex 'awx_mutant' to ensure that multiple copies of the trojan do not run simultaneously.
It also injects code to the following processes:
AD-AWARE.EXE
Explorer.exe
Winlogon.exe
Payload
Downloads and Executes Arbitrary Files
Trojan:Win32/Vundo.HIT may establish connection to the following IP addresses:
82.98.235.70
65.243.103.80
This trojan may attempt to download additional malware onto the infected computer.
Terminates Process
Trojan:Win32/Vundo.HIT may terminate the process "GCASSERVALERT.EXE" - this process is related to an application with the same name, located in the %ProgramFiles%\Microsoft Antispyware\ folder.
Modifies System Security Settings
Trojan:Win32/Vundo.HIT may lower Internet security settings by modifying the following registry entry:
Adds value: "1A02"
With data: 0
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Analysis by Elda Dimakiling
