Installation
Trojan:Win32/Vundo.JD.dll is installed on your PC as a Browser Helper Object (BHO) without your consent. It may be dropped in the Windows system folder with a random file name, as in the following examples:
It registers itself as a BHO with a randomly generated CLSID, for example:
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{493915C6-E232-464B-8F94-1F3E028970D5}
- HKLM\Software\Classes\CLSID\{493915C6-E232-464B-8F94-1F3E028970D5}\InprocServer32
Trojan:Win32/Vundo.JD.dll makes further modifications to the registry to ensure that it is loaded. It modifies the following entry to ensure that it is loaded by each Microsoft Windows-based application that is running in the current log on session:
Adds value: AppInit_DLLs
With data: "<system folder>\<Vundo.JD.dll filename>"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
It modifies the following registry entry so that it runs each time you start your PC:
Adds value:<random symbols>
With data: "rundll32 "Path\<Vundo.JD.dll filename>.dll", a"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The malware's DLL can also be injected to %ProgramFiles%\internet explorer\iexplore.exe.
Payload
Downloads and runs files
Trojan:Win32/Vundo.JD.dll might try to connect to the following IP addresses to download and run files (possibly including other malware):
- 85.12.43.86
- 85.12.43.75
- 82.98.235.223
- 85.17.166.170
Additional information
Trojan:Win32/Vundo.JD.dll may create a mutex to ensure that only one instance of the malware runs at any time. In the wild, we have seen mutexes with the following names being used:
- F7EA7058-FF87-4b08-A6D8-B0F0C2A4E185
- 47C0D494-C0B5-4ed7-8EB6-B8EDADF2301C
- lockable_mutex70AAC06A-E8B6
Trojan:Win32/Vundo.JD.dll creates the following registry entries for its own use:
- HKLM\Software\Microsoft\fias4013
- HKLM\Software\Microsoft\rdfa
There is more information about this type of threat in the Win32/Vundo description.
Analysis by Vitaly Zaytsev
