Trojan.Vundo.B is a malicious application that is designed to drop Adware onto a compromised host.
Once executed, the Trojan creates a .dll file with a file name that is constructed from the following strings:
- abr
- av
- anti
- ac
- acc
- ad
- ap
- as
- bin
- bas
- bak
- cab
- cat
- cmd
- com
- cr
- c
- drv
- db
- disk
- dll
- dns
- dos
- doc
- dvd
- eula
- exp
- fax
- font
- ftp
- hard
- iis
- img
- inet
- info
- ip
- java
- kb
- key
- lib
- log
- main
- ms
- mc
- mfc
- mp3
- msvc
- net
- nut
- odbc
- ole
- pc
- ps
- play
- ras
- reg
- run
- sys
- srv
- svr
- svc
- s
- tapi
- tcp
- task
- un
- url
- util
- vb
- vga
- vss
- xml
- wave
- web
- w
- win
- wms
The Trojan then saves and executes the .dll file in any of the following directories:
- %Windir%\addins
- %Windir%\AppPatch
- %Windir%\assembly
- %Windir%\Config
- %Windir%\Cursors
- %Windir%\Driver Cache
- %Windir%\Drivers
- %Windir%\Fonts
- %Windir%\Help
- %Windir%\inf
- %Windir%\java
- %Windir%\Microsoft.NET
- %Windir%\msagent
- %Windir%\Registration
- %Windir%\repair
- %Windir%\security
- %Windir%\ServicePackFiles
- %Windir%\Speech
- %Windir%\system
- %Windir%\system32
- %Windir%\Tasks
- %Windir%\Web
- %Windir%\Windows Update Setup Files
- %Windir%\Microsoft
The Trojan then creates the following registry entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\[Trojan file name]
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}
The Trojan then attempts to contact obalduyam.net.
The Trojan also creates the following temporary files:
- [TROJAN FILE NAME REVERSED].tmp
- [TROJAN FILE NAME REVERSED].ini
The Trojan displays advertisements on the infected computer.
The Trojan stores the URL list and may attempt to send a HTTP request to the following IP address:
203.199.200.61
