McAfee > Theat Center > Virus Detail Page

Overview

This description is for a downloader trojan, which when executed, downloads malicious components relating to the Vundo trojan from the internet, and install them on the victim’s machine.

The characteristics of this downloader in regards to file names, URLs accessed, files downloaded etc. will differ, depending the way in which the attacker had configured it. Hence, this is a general description.

Aliases

• Trojan.Awax [Symantec]

• Trojan.Virtumod.1465 [Doctor Web]

• Trojan:Win32/Vundo.JI [Microsoft]

• Vundo!1231E9AC

• W32/Zhelatin.O.gen!Eldorado [F-Secure]

• Win32/Adware.Virtumonde [Nod32]

Characteristics

Vundo.dldr!1231E9AC is now detected as Vundo!1231E9AC

When executed, this downloader trojan drops the following files:

• %System%\ljjdsllb.dll [Detected as Vundo]
• %Temp%\ssqpmjde.bat [Batch file to delete the original dropper]

It then connects to the following website on TCP port 80:

• http://childhe.com/[Removed]

The downloaded file apstpldr.dll [Detected as Vundo] is saved to the %System% folder as ssqpmjde.dll

The downloaded and dropped files inject themselves into other running processes, and could download more malware onto the victim’s machine and is beyond the scope of this description.

Since the malicious files are injected into common running processes like iexplore.exe [Internet Explorer], software based firewalls might not alert about outgoing connections made by the malware.

Note:

• %Temp% refers to the temporary folder. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP)
• %System% refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP)

The downloader trojan by itself doesn’t create any startup entry in the registry, however the dropped/downloaded files do, as shown in the images below:

The file names of the dropper and downloaded files are randomly created and so, on each execution the filenames differ.

One method to check for infection is to go to "C:\Windows\system32" folder, and sort the contents by "date modified" and then looking for suspicious files like shown in the image below:

Do remember to enable "Show hidden files and folders" and disable "Hide protected operating system files" before doing this.

Symptoms

• Presence of files/registry entries mentioned earlier

Method of Infection

Downloader trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial.

They may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- February 4, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://isc.sans.org/diary.html?storyid=5797&rss
--

This description is for a downloader trojan, which when executed, downloads malicious components relating to the Vundo trojan from the internet, and install them on the victim’s machine.

The characteristics of this downloader in regards to file names, URLs accessed, files downloaded etc. will differ, depending the way in which the attacker had configured it. Hence, this is a general description.

Aliases

• Trojan.Awax [Symantec]

• Trojan.Virtumod.1465 [Doctor Web]

• Trojan:Win32/Vundo.JI [Microsoft]

• Vundo!1231E9AC

• W32/Zhelatin.O.gen!Eldorado [F-Secure]

• Win32/Adware.Virtumonde [Nod32]

Characteristics

Characteristics -

Vundo.dldr!1231E9AC is now detected as Vundo!1231E9AC

When executed, this downloader trojan drops the following files:

• %System%\ljjdsllb.dll [Detected as Vundo]
• %Temp%\ssqpmjde.bat [Batch file to delete the original dropper]

It then connects to the following website on TCP port 80:

• http://childhe.com/[Removed]

The downloaded file apstpldr.dll [Detected as Vundo] is saved to the %System% folder as ssqpmjde.dll

The downloaded and dropped files inject themselves into other running processes, and could download more malware onto the victim’s machine and is beyond the scope of this description.

Since the malicious files are injected into common running processes like iexplore.exe [Internet Explorer], software based firewalls might not alert about outgoing connections made by the malware.

Note:

• %Temp% refers to the temporary folder. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP)
• %System% refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP)

The downloader trojan by itself doesn’t create any startup entry in the registry, however the dropped/downloaded files do, as shown in the images below:

The file names of the dropper and downloaded files are randomly created and so, on each execution the filenames differ.

One method to check for infection is to go to "C:\Windows\system32" folder, and sort the contents by "date modified" and then looking for suspicious files like shown in the image below:

Do remember to enable "Show hidden files and folders" and disable "Hide protected operating system files" before doing this.

Symptoms

Symptoms -

• Presence of files/registry entries mentioned earlier

Method of Infection

Method of Infection -

Downloader trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial.

They may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A