FireEye
Trojan.Vundo
Trojan.Vundo
| Target: | Windows |
|---|---|
| Aliases: | Suspicious.Vundo, Trojan.Win32.Monder, Vundo.gen, Trojan:Win32/Vundo, Adware.VirtuMonde |
| References: | Threat Expert: Trojan.Vundo sample analysis Windows File Protection (WFP) |
| Attributes: | Payload: Adware
, Browser Helper Object
, Downloader
, InfoStealer
, Rogue
Propagation: Email Technique: Code Injection , Service , StartUp CnC Architecture: HTTP |
Vundo is a malicious application used to download and display pop-up advertisements of rogue software. It has the ability to download and install other malware, usually rogue security products, on the system. Variants of Vundo collect information from system like IP address, Windows version, MAC address, Internet Explorer version etc and send it to the attacker. It requires human intervention to infect the system. A malicious link is often sent using spam emails which installs Vundo when clicked. Variants of Vundo monitor and report the browsing activities of the user back to attacker. It may also redirect the user to advertisement websites. When deleted, variants of Vundo may restore themselves using Windows File Protection (WFP) technique.
Upon execution, it creates a file under the %System% directory. The file name is selected by randomly concatenating a set of small pre-specified strings. It also creates a DLL file in the %Temp% directory with a name that is the reverse of the .exe file created in the %System% directory. The DLL file is injected into any running process. Moreover, Vundo tries to inject itself into security related processes. It has the ability to restart the process if killed. Please note that %System% is a variable whose typical values are C:\Windows\System (Windows 95/08/Me), C:\Windows\System32 (Windows XP), or C:\Winnt\System32 (Windows NT/2000). Typical value of %Temp% is C:\Documents and Settings\[username]\Local Settings\Temp.
Variants of Vundo can create a new process in the system and also have the ability to create and start a new service. They may modify the following registry in-order to inject themselves in all processes:
Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs =
It may load its DLL component into the address space of winlogon.exe by modifying the following registry key:
Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\[Name]
Please note that [Name] is a random filename used by Vundo
Vundo may modify the following registry keys to register a Browser Helper Object:
Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\[Hexadecimal Number]
How can I avoid this:
To prevent the initial infection, a user or enterprise should apply security patches to operating systems, web browsers and other software in a timely manner. A user or enterprise should run and maintain professional or freeware security tools such as anti-virus, personal firewall, and intrusion prevention, and avoid falling victim to social engineering attacks. Email attachments from unknown sources should not be opened. Finally, users should not allow the installation of any program on their computer unless they trust the source of the program and know what the program is supposed to do.
What can I do:
The most reliable approach to clean your system is to restore it to a known clean restore point, or perform a new install of your system after backing up all your personal data. Other options include:
* Install or update your desktop security programs. Often a user will need to boot into safe mode and then run a full scan to increase the chances of full removal.
* For the brave-hearted users, you can consult additional resources such as ThreatExpert, to perform a manual clean up. This is not recommended for anyone but an expert.