1. /
  2. Security Response/
  3. Trojan.Vundo.B

Trojan.Vundo.B

Risk Level 1: Very Low

Discovered:
April 27, 2005
Updated:
August 27, 2012 2:04:34 PM
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Trojan.Vundo.B is a malicious application that is designed to drop Adware onto a compromised host.

Once executed, the Trojan creates a .dll file with a file name that is constructed from the following strings:
  • abr
  • av
  • anti
  • ac
  • acc
  • ad
  • ap
  • as
  • bin
  • bas
  • bak
  • cab
  • cat
  • cmd
  • com
  • cr
  • c
  • drv
  • db
  • disk
  • dll
  • dns
  • dos
  • doc
  • dvd
  • eula
  • exp
  • fax
  • font
  • ftp
  • hard
  • iis
  • img
  • inet
  • info
  • ip
  • java
  • kb
  • key
  • lib
  • log
  • main
  • ms
  • mc
  • mfc
  • mp3
  • msvc
  • net
  • nut
  • odbc
  • ole
  • pc
  • ps
  • play
  • ras
  • reg
  • run
  • sys
  • srv
  • svr
  • svc
  • s
  • tapi
  • tcp
  • task
  • un
  • url
  • util
  • vb
  • vga
  • vss
  • xml
  • wave
  • web
  • w
  • win
  • wms


The Trojan then saves and executes the .dll file in any of the following directories:
  • %Windir%\addins
  • %Windir%\AppPatch
  • %Windir%\assembly
  • %Windir%\Config
  • %Windir%\Cursors
  • %Windir%\Driver Cache
  • %Windir%\Drivers
  • %Windir%\Fonts
  • %Windir%\Help
  • %Windir%\inf
  • %Windir%\java
  • %Windir%\Microsoft.NET
  • %Windir%\msagent
  • %Windir%\Registration
  • %Windir%\repair
  • %Windir%\security
  • %Windir%\ServicePackFiles
  • %Windir%\Speech
  • %Windir%\system
  • %Windir%\system32
  • %Windir%\Tasks
  • %Windir%\Web
  • %Windir%\Windows Update Setup Files
  • %Windir%\Microsoft


The Trojan then creates the following registry entries:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\[Trojan file name]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}


The Trojan then attempts to contact obalduyam.net.

The Trojan also creates the following temporary files:
  • [TROJAN FILE NAME REVERSED].tmp
  • [TROJAN FILE NAME REVERSED].ini

The Trojan displays advertisements on the infected computer.

The Trojan stores the URL list and may attempt to send a HTTP request to the following IP address:
203.199.200.61
Writeup By: John Park
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver