Trojan:Win32/Vundo.LO is a generic detection for a trojan that injects its code into running processes and downloads and executes arbitrary files.
Installation
When executed, Trojan:Win32/Vundo.LO drops a randomly named DLL in the <system folder> if the user is an administrator. Otherwise the DLL is written to the %temp% directory. For example:
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
Trojan:Win32/Vundo.LO invokes the dropped DLL using "rundll32.exe", for example:
"rundll32.exe C:\WINDOWS\System32\prndev.dll, install"
The DLL is installed via the following registry modifications, for example:
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Modifies value: AppInit_DLLs
With data: "prndev.dll"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Modifies value: LoadAppInit_DLLs
With data: 0x1
Trojan:Win32/Vundo.LO also invokes the DLL using "rundll32.exe", for example:
"rundll32.exe "C:\WINDOWS\System32\prndev.dll", watch"
Trojan:Win32/Vundo.LO creates the following events:
It injects itself into the following processes (should they exist on an affected computer):
"explorer.exe"
"firefox.exe"
"iexplore.exe"
Trojan:Win32/Vundo.LO also hooks the API "connect" when hosted within "firefox.exe" or "iexplorer.exe".
Payload
Receives instruction from remote host/Download and executes arbitrary files
Trojan:Win32/Vundo.LO listens on TCP port 8118, which the hooked API will connect to, effectively acting as a local proxy. It contacts remote the host nx1.mslivelogin.com in order to receive directives. Using this functionality, a remote attacker can instruct the affected machine to perform the following actions:
When downloading and executing arbitrary files, Trojan:Win32/Vundo.LO may download the following malware:
Additional Information
Analysis by Scott Molenkamp
