Content
Vundo.gen.c
- Type
- Trojan
- SubType
- Generic
- Discovery Date
- 05/09/2008
- Length
- various
- Minimum DAT
- 5292 (05/09/2008)
- Updated DAT
- 5304 (05/27/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 05/09/2008
- Description Modified
- 06/10/2008 6:43 AM (PT)
Tab Navigation
Characteristics
Vundo.gen.c can load its dropped DLL (Dynamic Link Library) files by registering them as BHOs (Browser Helper Objects) or adding them to the list of libraries to be loaded with winlogon by creating a new key in
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
It can also add a value in the following registry keys to be loaded with every user session:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
It monitors traffic to well know search engines and shows advertisement for rogue security products.
Vundo.gen.c can redirect users to, or attempt to access, the following URLs:
- http://perfectnav.com
- http://65.243.103.62
Symptoms
- Unexpected pop-up advertisement for rogue security products
- Unexpected traffic to the domain names mentioned above
- Presence of the registry keys mentioned above
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
Removal
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Variants
Variants
N/A
All Information
Overview -
Vundo.gen.c is a Trojan displaying unsolicited pop-up advertisements and enticing users to install rogue Anti-Spyware or Anti-Virus programs and can be spread by malicious websites and SPAM emails.
Characteristics
Characteristics -
Vundo.gen.c can load its dropped DLL (Dynamic Link Library) files by registering them as BHOs (Browser Helper Objects) or adding them to the list of libraries to be loaded with winlogon by creating a new key in
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
It can also add a value in the following registry keys to be loaded with every user session:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
It monitors traffic to well know search engines and shows advertisement for rogue security products.
Vundo.gen.c can redirect users to, or attempt to access, the following URLs:
- http://perfectnav.com
- http://65.243.103.62
Symptoms
Symptoms -
- Unexpected pop-up advertisement for rogue security products
- Unexpected traffic to the domain names mentioned above
- Presence of the registry keys mentioned above
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
Removal -
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
