Content

Vundo

Type
Trojan
SubType
Win32
Discovery Date
08/20/2004
Length
Varies
Minimum DAT
4388 (08/25/2004)
Updated DAT
5663 (07/01/2009)
Minimum Engine
5.1.00
Description Added
08/20/2004
Description Modified
04/06/2006 7:30 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

[Update 04/06/2006]

The latest variants of this trojan are observed to display fake error messages and asks the user to download security software programs. User will be asked to download SysProtect application to remove the threat.

Registry changes

Vundo maintains most of the original characterstics, few of the registry changes are mentioned below.

Add itself as a BHO.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2}\InprocServer32\: "path to the trojan DLL file"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2}

Create a winlogon key with random filename.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\filename.
    \Startup: "SysLogon"
    \Logoff: "SysLogoff"

The following keys are also added.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DosSpecFolder.DosSpecFolder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DosSpecFolder.DosSpecFolder.1

------------------------------------

Older variants bears the following characteristics:

  • decrypts and drops a DLL file to the victim machine. The DLL appears to be intended to harvest data from the victim machine.
  • drops a second EXE to the victim machine. This component appears to be related to Adware-Virtumundo .

Upon execution, VMTEMP.TMP is written to the local temporary directory, for example:

  • C:\DOCUMENTS AND SETTINGS\USER\LOCAL
    SETTINGS\TEMP\VMTEMP.TMP (387,133 bytes)

When this file is executed the following Registry key is added:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\RunOnce "*(filename)"

Two DLLs are also installed to the victim machine, both 86,016 bytes in size. The filename used is random, but a .DAT file extension is used. For example:

  • TMW.DAT (86,016 bytes)

The following CLSIDs are added for these DLLs:

  • HKEY_CLASSES_ROOT\CLSID\
    {8109AF33-6949-4833-8881-43DCC232B7B2}
  • HKEY_CLASSES_ROOT\CLSID\
    {2316230A-C89C-4BCC-95C2-66659AC7A775}

The DLLs may be installed as Browser Helper Objects (BHOs) on the victim machine via the following keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Explorer\Browser Helper Objects\
    {8109AF33-6949-4833-8881-43DCC232B7B2}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Explorer\Browser Helper Objects\
    {2316230A-C89C-4BCC-95C2-66659AC7A775}

The following keys are also added:

  • HKEY_CLASSES_ROOT\ATLEvents.ATLEvents
  • HKEY_CLASSES_ROOT\ATLEvents.ATLEvents.1

Various data is then sent to a remote server (via HTTP). This includes:

  • version information
  • crash history
  • affiliate ID

One of the DLLs (actually uses .DAT file extension) is loaded within the legitimate EXPLORER.EXE process, which may lead to misleading alerts from any software firewall when the remote connections are initiated.

Symptoms

  • Existence of Registry keys details above.
  • Outgoing traffic to following remote server:
    • virtumonde.com
  • Newer variants display fake error screen asking the user to download rouge system security tools.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc

Removal

Certain variants of the Vundo trojan are especially difficult to remove.  Current DAT and Engine functionality does not yet provide an automatic method to fully remove this threat if it is active in memory.  However, a combination of manual and DAT/Engine removal methods does allow for successful removal of this threat. 

Instructions

  1. Download Process Explorer (procexp.exe) from Sysinternals
  2. Reboot the infected machine
  3. Launch the VirusScan On-Demand Scanner (ODS), or the command-line scanner, but don't initiate the scan yet
  4. Run Process Explorer and suspend the Explorer.exe, Winlogon.exe, and rundll32.exe processes (right-click on these process names and choose suspend)
  5. Scan & clean with the current DAT files and engine (the Window launched in step 3 above) [there will be clean failures, that is expected]
  6. Physically power the machine off and back on.(a hard reset is required as Windows will not shutdown without Winlogon.exe running, and resuming that process will revert the changes made by the scanner).

These steps will removal all relevant registry entries and identified Vundo components.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Adware.VirtuMonde (Symantec)
  • Troj/AgentSpy-A (Sophos)
  • Trojan.Vundo.B (Symantec)

Characteristics

Characteristics -

[Update 04/06/2006]

The latest variants of this trojan are observed to display fake error messages and asks the user to download security software programs. User will be asked to download SysProtect application to remove the threat.

Registry changes

Vundo maintains most of the original characterstics, few of the registry changes are mentioned below.

Add itself as a BHO.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2}\InprocServer32\: "path to the trojan DLL file"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2}

Create a winlogon key with random filename.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\filename.
    \Startup: "SysLogon"
    \Logoff: "SysLogoff"

The following keys are also added.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DosSpecFolder.DosSpecFolder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DosSpecFolder.DosSpecFolder.1

------------------------------------

Older variants bears the following characteristics:

  • decrypts and drops a DLL file to the victim machine. The DLL appears to be intended to harvest data from the victim machine.
  • drops a second EXE to the victim machine. This component appears to be related to Adware-Virtumundo .

Upon execution, VMTEMP.TMP is written to the local temporary directory, for example:

  • C:\DOCUMENTS AND SETTINGS\USER\LOCAL
    SETTINGS\TEMP\VMTEMP.TMP (387,133 bytes)

When this file is executed the following Registry key is added:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\RunOnce "*(filename)"

Two DLLs are also installed to the victim machine, both 86,016 bytes in size. The filename used is random, but a .DAT file extension is used. For example:

  • TMW.DAT (86,016 bytes)

The following CLSIDs are added for these DLLs:

  • HKEY_CLASSES_ROOT\CLSID\
    {8109AF33-6949-4833-8881-43DCC232B7B2}
  • HKEY_CLASSES_ROOT\CLSID\
    {2316230A-C89C-4BCC-95C2-66659AC7A775}

The DLLs may be installed as Browser Helper Objects (BHOs) on the victim machine via the following keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Explorer\Browser Helper Objects\
    {8109AF33-6949-4833-8881-43DCC232B7B2}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Explorer\Browser Helper Objects\
    {2316230A-C89C-4BCC-95C2-66659AC7A775}

The following keys are also added:

  • HKEY_CLASSES_ROOT\ATLEvents.ATLEvents
  • HKEY_CLASSES_ROOT\ATLEvents.ATLEvents.1

Various data is then sent to a remote server (via HTTP). This includes:

  • version information
  • crash history
  • affiliate ID

One of the DLLs (actually uses .DAT file extension) is loaded within the legitimate EXPLORER.EXE process, which may lead to misleading alerts from any software firewall when the remote connections are initiated.

Symptoms

Symptoms -

  • Existence of Registry keys details above.
  • Outgoing traffic to following remote server:
    • virtumonde.com
  • Newer variants display fake error screen asking the user to download rouge system security tools.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc

Removal -

Removal -

Certain variants of the Vundo trojan are especially difficult to remove.  Current DAT and Engine functionality does not yet provide an automatic method to fully remove this threat if it is active in memory.  However, a combination of manual and DAT/Engine removal methods does allow for successful removal of this threat. 

Instructions

  1. Download Process Explorer (procexp.exe) from Sysinternals
  2. Reboot the infected machine
  3. Launch the VirusScan On-Demand Scanner (ODS), or the command-line scanner, but don't initiate the scan yet
  4. Run Process Explorer and suspend the Explorer.exe, Winlogon.exe, and rundll32.exe processes (right-click on these process names and choose suspend)
  5. Scan & clean with the current DAT files and engine (the Window launched in step 3 above) [there will be clean failures, that is expected]
  6. Physically power the machine off and back on.(a hard reset is required as Windows will not shutdown without Winlogon.exe running, and resuming that process will revert the changes made by the scanner).

These steps will removal all relevant registry entries and identified Vundo components.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A