Trojan:Win32/Vundo.HJ is a variant of Win32/Vundo, a multiple-component family of programs that deliver 'out of context' pop-up advertisements. They may also download and execute arbitrary files. Vundo is often distributed as a DLL file and installed on an affected machine as a Browser Helper Object (BHO) without a user's consent. This family uses advanced defensive and stealth techniques to escape detection and to hinder removal.
Installation
Win32/Vundo.HJ may be installed by other malware which may have the following false and misleading file properties:
Company: Microsoft Corporation
File Description: Outlook Express Setup Library
The trojan creates a mutex "awx_mutant" during its installation and drops files with randomly generated filenames into the Windows system folder, as in the following examples:
<system folder>\efccvwqg.dll
<system folder>\awtqnkhe.dll
The trojan creates a remote thread in the running process 'winlogon.exe'. It also modifies the registry to execute itself at each Windows start and to register itself as a Browser Helper Object (BHO) (for example):
Adds value: Time
With data: "<binary value>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings
Adds value: @
With data: "<Win32/Vundo.HJ path and filename>"
To subkey: HKCR\CLSID\{unique CLSID-1}\InprocServer32
Adds value: Asynchronous
With value: dword:00000001
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\<Win32/Vundo.HJ filename>
Adds value: {unique CLSID-1}
With data: ""
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Trojan:Win32/Vundo.HJ injects itself to the following processes:
WINLOGON.EXE
EXPLORER.EXE
AD-AWARE.EXE
Win32/Vundo.HJ drops and executes a small batch script named '%TEMP%\removalfile.bat' that attempts to delete the original Win32/Vundo.HJ installer or dropper.
Payload
Connects to Remote Host
This trojan injects its code into winlogon.exe and explorer.exe running processes, and creates remote threads in each. Win32/Vundo.HJ connects to the remote IP address 65.243.103.80 using HTTP.
Win32/Vundo.HJ constructs URLs to connect to with variables or parameters including the following:
pars&wt=%s&bi=%s&sf=%s
?sid=
&revid=
&morphid=
&affid=
&zq=0
&zq=1
&cid=
Additional Information
For more information, please see the
Win32/Vundo analysis elsewhere in our encyclopedia.
Analysis by Huzefa Mogri