Trojan:Win32/Vigorf.A is a generic detection of Microsoft Defender. This detection commonly identifies a running loader malware that may deal significant harm to the system. In this article, let’s find out how dangerous Vigorf.A is and how to get rid of it.
What is Trojan:Win32/Vigorf.A?
Trojan:Win32/Vigorf.A is the detection name that Microsoft Defender attributes to dropper/loader malware. This generic detection name refers to a whole range of malicious programs, rather than one specific family. The goal of Vigorf.A is unauthorizing system access, and further malware distribution. As my detailed analysis has shown, Trojan:Win32/Vigorf.A uses various methods to bypass antivirus programs and operating system protection.
Usually, this malware downloads or installs other malicious programs on the computer. It drops its files and modifies system settings and other configuration files to gain persistence. Additionally, it connects to remote servers to send collected information and download additional malicious programs.
Is Trojan:Win32/Vigorf.A False Positive?
False positives with the Vigorf.A name is not a common occurrence. There are only a few cases discussed online, and all of them are related to the software that borders on malicious.
The most common case here is game modifiers or patches. Such tools modify game memory or files to unlock features and can be misidentified as Trojan:Win32/Vigorf.A because of their ability to intrude into other programs’ memory. Similar tools and scripts used by software developers can be misidentified as malicious. While being potentially safe and legitimate, it is important to treat such software with care.
Trojan Analysis
Studying the behavior of Trojan:Win32/Vigorf.A sample on an infected system showed me how elaborate these threats can be. Not only does the Trojan collect personal user data, but it also modifies system settings, creating additional vulnerabilities and opening the door for other malware.
Methods of Distribution
Trojan:Win32/Vigorf.A is often spread via spam e-mail campaigns containing malicious attachments or links. Once the user opens the attachment or clicks on the link, the Trojan is installed on their computer, either directly or through the loading script. Despite being used for malware spreading for years now, email spam remains a particularly potent and effective spreading option.
Malvertising is another tricky method that has been used to spread Trojan:Win32/Vigorf.A as far as my research goes. This malware exploits ad networks to display malicious ads in search engine results. Such ads redirect users to malicious duplicates of familiar sites or directly download malware onto their devices.
In addition, Vigorf.A is often hidden in packages containing illegal or pirated software. When I download and install such programs, the trojan is also installed on my computer. Often such software is offering for free, which makes it attractive, but it ends up costing more because of the damage the trojan causes.
Launch, Gaining Persistence and Data Collection
After launching in the system, Trojan:Win32/Vigorf.A adds itself to autorun by taking advantage of the Startup folder. This allows it to start automatically every time the system starts. In my case, I found a strange shortcut adxjcv4.lnk, which turned out to be associated with the trojan.
APPDATA%\microsoft\windows\start menu\programs\startup\_adxjcv4_.lnk
Alternatively, Vigorf.A may use the DLL hijacking technique. This happens particularly often when malware arrives with the loader, which unpacks the sample and handles the launch. The way to run the malware is nothing unusual – a PowerShell command that runs the malware DLL through the call to rundll32.exe.
rundll32.exe %windir%\system32\advpack.dll
After the launch, malware checks the system location by its IP address and switches to collecting the system data. This gives Vigorf.A the ability to distinguish that particular system from others. This can as well be used for more targeted attacks or to get a rather exhausting set of victims’ system info to analyze. Malware particularly checks the values of the following keys to get info about programs present on the PC:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} and \=\Count
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} and \=\Count
By checking the next keys, Trojan:Win32/Vigorf.A learns about the devices and networks to which the computer connects and can identify the most vulnerable points for further attacks. This information helps malware masters to deploy malware in a more relevant manner, and get extra profit from systems related to a network.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache and \=\Intranet
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
Trojan:Win32/Vigorf.A Payload Delivery
After collecting all this data, Vigorf encrypts and >sends it to the command server using HTTP POST request. The list of command servers was predefined for the samples I’ve worked with, but this may differ in other cases. Server, in turn, responds with a blob of data that instructs malware for further actions. Obviously for dropper malware, payload delivery is one of the most probable instructions it can get.
To instruct the dropper for malware delivery, C2 sends the URLs Vigorf should connect and download it from. It sends HTTP GET commands to the following URLs:
http[:]//185.117.75.198/fiscal/1
http[:]//194.163.43.166/08/st/m.zip
Files downloaded from these addresses were disguised as ordinary documents or incomplete files, making them difficult to detect and analyze. Once Trojan:Win32/Vigorf.A finishes downloading malware, it uses system utilities such as wuapp.exe to launch it.
"C:\Windows\System32\wuapp.exe" -c "C:\ProgramData\sHrhJDaCBu\cfg"
What should I do if Windows Defender found Trojan:Win32/Vigorf.A?
To remove Trojan:Win32/Vigorf.A, I recommend using GridinSoft Anti-Malware. This tool can detect and remove Vigorf, as well as find other malicious programs downloaded by it. Also it can work with Windows Defender to create an additional line of defense.
Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.
After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.
Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.
I would also recommend keeping the system and all programs updated to the latest versions to eliminate vulnerabilities that malware can exploit.