Trojan Vundo

Original issue date: April 25, 2008

It has been observed that a trojan named Vundo is circulating widely. It is dropped by some dropper as a DLL component on user's system. It installs itself as browser helper object ( BHO )
and gets injected into Explorer DOT exe . After successful installation it generates popup ads for rogue antispyware installation on the infected system which may appear as visible or hidden window.

Aliases: Win32/Vundo!generic [CA], W32/Virtumonde.TY [ Norman ], Adware.VirtuMonde [Symantec]

Upon execution, the Trojan :

• Copies itself to the Windows system folder using a random filename generated from random alphabetical characters.
• Drops several non-malicious data files to the Windows system folder. These file names will be the reverse order of the dropped DLL file name and have one of the following extensions:
  .ini, .bak1, .bak2, .ini2, .tmp
• Drops an executable file in one or more of the following subdirectories of the %Windows% directory:
  
  addins/, AppPatch/, assembly/, Config/, Cursors/, Driver Cache/, Drivers/ Fonts/, Help/, inf/, java/, Microsoft.NET/, msagent/, Registration/, repair/ security/, ServicePackFiles/, Speech/, system/, system32/, Tasks/, Web/ Windows Update Setup Files/, Microsoft/
  
  The above said executable files are randomly generated by joining some of the following strings and appending .exe to the end:
  
  abr, ac, acc, ad, anti, ap, as, av, bak, bas, bin, c, cab, cat, cmd, com, cr, db, disk, dll, dns, doc, dos, drv, dvd, eula, exp, fax, font, ftp, hard, iis, img, inet, info, ip, java, kb, key, lib, log, main, mc, mfc, mp3, ms, msvc, net, nut, odbc, ole, pc, play, ps, ras, reg, run, s, srv, svc, svr, sys, api, task, tcp, un, url, util, vb, vga, vss, w, wave, web, win, wms, xml
• Creates the following registry keys:
  
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aldd
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6}
• Stores a list of URLs in the file which, when visited, there will be no popups. This list contains popular search engines and domain names of ad servers, such as:
  yahoo.com, search.ebay.com,web.ask.com, banners.pennyweb.com,ads2.revenue.net, www2.yesadvertising.com
• Drops an executable file in one or more of the following subdirectories of the %Windows% directory:
  addins/, AppPatch/, assembly/, Config/, Cursors/, Driver Cache/, Drivers/ Fonts/, Help/, inf/, java/, Microsoft.NET/, msagent/, Registration/, repair/ security/, ServicePackFiles/, Speech/, system/, system32/, Tasks/, Web/ Windows Update Setup Files/, Microsoft/

In view of rapid propagation of the Vundo Trojan, users are advised to implement the following countermeasures:

• Search for the malicious files and processes created/initiated by the Trojan and delete the same.
• Search for the registry entries mentioned above made by the Trojan and delete the same.
• Remain cautious while visiting trusted / untrusted websites.
• Exercise caution while opening e-mail attachments received from unknown sources.
• Block access to the malicious domain mentioned above at gateway.
• Keep up-to-date patches and fixes on the operating system and application software.
• Keep up-to-date Antivirus and Antispyware signatures.

 References

http://www.microsoft.com/security/portal/Entry.aspx?name=
Trojan:Win32/Vundo.K
http://www.microsoft.com/security/portal/Entry.aspx?name=
Trojan:Win32/Vundo.gen!D
http://www.microsoft.com/security/portal/Entry.aspx?name=
Trojan:Win32/Vundo.BH
http://ca.com/securityadvisor/virusinfo/virus.aspx?ID=42097

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003