Content

Vundo.gen.c

Type
Trojan
SubType
Generic
Discovery Date
05/09/2008
Length
various
Minimum DAT
5292 (05/09/2008)
Updated DAT
5304 (05/27/2008)
Minimum Engine
5.1.00
Description Added
05/09/2008
Description Modified
06/10/2008 6:43 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Vundo.gen.c can load its dropped DLL (Dynamic Link Library) files by registering them as BHOs (Browser Helper Objects) or adding them to the list of libraries to be loaded with winlogon by creating a new key in

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

 

It can also add a value in the following registry keys to be loaded with every user session:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

 

It monitors traffic to well know search engines and shows advertisement for rogue security products.

 

Vundo.gen.c can redirect users to, or attempt to access, the following URLs:

  • http://perfectnav.com
  • http://65.243.103.62

Symptoms

  • Unexpected pop-up advertisement for rogue security products
  • Unexpected traffic to the domain names mentioned above
  • Presence of  the registry keys mentioned above

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

Vundo.gen.c is a Trojan displaying unsolicited pop-up advertisements and enticing users to install rogue Anti-Spyware or Anti-Virus programs and can be spread by malicious websites and SPAM emails.

Characteristics

Characteristics -

Vundo.gen.c can load its dropped DLL (Dynamic Link Library) files by registering them as BHOs (Browser Helper Objects) or adding them to the list of libraries to be loaded with winlogon by creating a new key in

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

 

It can also add a value in the following registry keys to be loaded with every user session:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

 

It monitors traffic to well know search engines and shows advertisement for rogue security products.

 

Vundo.gen.c can redirect users to, or attempt to access, the following URLs:

  • http://perfectnav.com
  • http://65.243.103.62

Symptoms

Symptoms -

  • Unexpected pop-up advertisement for rogue security products
  • Unexpected traffic to the domain names mentioned above
  • Presence of  the registry keys mentioned above

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A