Trojan:Win32/Vundo.OD is a trojan that is a member of a multi-component trojan family of programs that deliver 'out of context' pop-up advertisements. It also drops files that are capable of downloading other malware and executes arbitrary files.
Installation
Trojan:Win32/Vundo.OD drops a DLL component in the Windows system folder with a random filename based on the system volume name. This DLL component is detected as TrojanDownloader:Win32/Vundo.HIY.
If the trojan cannot drop the DLL component due to privilege issues, it instead drops and executes a copy of itself as "FLASH_PLAYER_UPDATE.EXE" in the Windows temporary files folder with Administrator privileges.
To ensure that it automatically starts every time Windows starts, it creates the following registry entries:
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "AppInit_DLLs"
With data: "<system folder>\<dropped DLL file>"
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "LoadAppInit_DLLs"
With data: "1"
It drops a component file, also detected as TrojanDownloader:Win32/Vundo.OD, as the following:
- <startup folder>\microsoft update.exe
Note: <startup folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Startup folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu\Programs\Startup'. For Windows Vista and 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'.
Payload
Deletes files and folders
TrojanDownloader:Win32/Vundo.OD deletes files and subfolders in the following folders:
- %HOMEPATH%\Cookies
- %Temp%
Resets Hosts File
Trojan:Win32/Vundo.OD replaces the Hosts file with the default settings so any modifications based on system settings are then removed.
Forces the computer to restart
Trojan:Win32/Vundo.OD forces the computer to restart to enable the execution of its dropped DLL component.
Analysis by Zarestel Ferrer