Trojan:Win32/Vundo.KM is the detection for a member of the
Win32/Vundo family of malware. It creates a connection to the Web site 'antassa.com'. It may also inject code into Internet Explorer, redirect searches, display advertisements, download and run files from a remote server, and send information about the infected system to a remote server.
Installation
Trojan:Win32/Vundo.KM usually arrives in the system as a DLL file that is dropped by a
Win32/Vundo dropper. It is usually dropped in the Windows system folder with a random file name, for example, 'kinajuto.dll'.
To ensure that it runs every time Windows starts, it creates the following registry entry:
Adds value: "<random string>"
With data: "rundll32.exe <malware path> ,b"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
where <random string> is a random string created by this trojan and <malware path> is the full path where the dropped DLL file is located.
It also creates the following registry entries as part of its installation routine:
Adds value: "SysShell"
To subkey: HKLM\Software\Microsoft\contim
Adds value: "F" or "N"
To subkey: HKLM\Software\Microsoft\rdfa
It might also create a CLSID for itself by creating an entry in the following subkey:
HCKR\CLSID\
For example:
Creates the subkey: HCKR\CLSID\{0b8ce664-9911-4593-9d0b-a20c178c608a}
It may also inject code into Internet Explorer.
Payload
Connects to Remote Servers
Trojan:Win32/Vundo.KM creates a connection to the Web site 'antassa.com'. It may also connect to other remote servers to download and run other files, which may be other malware.
It may also collection information about the infected system, such as program versions, and send it back to a remote server.
Modifies Browser Behavior
It may display advertisements and redirect searches based on user browsing activity.
Analysis by Patrik Vicol
