This Trojan may be dropped by variants of the following malware families:
- TROJ_VUNDO
- TROJ_VIRTUMUNDO
It may arrive bundled with malware packages as a malware component. It may arrive as a .DLL file that exports functions used by other malware.
It is usually dropped in the Windows system folder with a random file name. It is then injected into running processes, such as
WINLOGON.EXE and
EXPLORER.EXE as part of its installation routine.
It is also usually installed as a BHO (Browser Helper Object) to ensure its automatic execution whenever an instance of Internet Explorer is run. It requires other components in order to run properly.
More...