1. /
  2. Security Response/
  3. Trojan.Vundo.B

Trojan.Vundo.B

Risk Level 1: Very Low

Discovered:
April 27, 2005
Updated:
August 27, 2012 2:04:34 PM
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Trojan.Vundo.B is a malicious application that is designed to drop Adware onto a compromised host.

Once executed, the Trojan creates a .dll file with a file name that is constructed from the following strings:
  • abr
  • av
  • anti
  • ac
  • acc
  • ad
  • ap
  • as
  • bin
  • bas
  • bak
  • cab
  • cat
  • cmd
  • com
  • cr
  • c
  • drv
  • db
  • disk
  • dll
  • dns
  • dos
  • doc
  • dvd
  • eula
  • exp
  • fax
  • font
  • ftp
  • hard
  • iis
  • img
  • inet
  • info
  • ip
  • java
  • kb
  • key
  • lib
  • log
  • main
  • ms
  • mc
  • mfc
  • mp3
  • msvc
  • net
  • nut
  • odbc
  • ole
  • pc
  • ps
  • play
  • ras
  • reg
  • run
  • sys
  • srv
  • svr
  • svc
  • s
  • tapi
  • tcp
  • task
  • un
  • url
  • util
  • vb
  • vga
  • vss
  • xml
  • wave
  • web
  • w
  • win
  • wms


The Trojan then saves and executes the .dll file in any of the following directories:
  • %Windir%\addins
  • %Windir%\AppPatch
  • %Windir%\assembly
  • %Windir%\Config
  • %Windir%\Cursors
  • %Windir%\Driver Cache
  • %Windir%\Drivers
  • %Windir%\Fonts
  • %Windir%\Help
  • %Windir%\inf
  • %Windir%\java
  • %Windir%\Microsoft.NET
  • %Windir%\msagent
  • %Windir%\Registration
  • %Windir%\repair
  • %Windir%\security
  • %Windir%\ServicePackFiles
  • %Windir%\Speech
  • %Windir%\system
  • %Windir%\system32
  • %Windir%\Tasks
  • %Windir%\Web
  • %Windir%\Windows Update Setup Files
  • %Windir%\Microsoft


The Trojan then creates the following registry entries:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\[Trojan file name]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}


The Trojan then attempts to contact obalduyam.net.

The Trojan also creates the following temporary files:
  • [TROJAN FILE NAME REVERSED].tmp
  • [TROJAN FILE NAME REVERSED].ini

The Trojan displays advertisements on the infected computer.

The Trojan stores the URL list and may attempt to send a HTTP request to the following IP address:
203.199.200.61
Note: On May 14, 2015, modifications will be made to the threat write-ups to streamline the content. The Threat Assessment section will no longer be published as this section is no longer relevant to today's threat landscape. The Risk Level will continue to be the main threat risk assessment indicator.
Writeup By: John Park
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report