Content

Vundo!7e18dec2

Type
Trojan
SubType
Trojan
Discovery Date
07/30/2008
Length
Varies
Minimum DAT
5350 (07/30/2008)
Updated DAT
5350 (07/30/2008)
Minimum Engine
5.1.00
Description Added
07/30/2008
Description Modified
07/30/2008 5:01 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This variant of Vundo may be detected as Generic.dx in earlier DAT versions.

This trojan typically uses random filename (e.g. ljJDvttq.dll) as created by its dropper. It then modifies the following registry entries to ensure it executes at each Windows start:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

When run, it can inject and execute itself in the memory space of multiple running processes in Windows.

It may also creates or modifies one or more of the following registry key(s):

  • HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C6039E6C-BDE9-4de5-BB40-768CAA584FDC}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C6039E6C-BDE9-4de5-BB40-768CAA584FDC}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C6039E6C-BDE9-4de5-BB40-768CAA584FDC}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\jn_tr_<8 random letters>
  • HKEY_LOCAL_MACHINE\Software\Microsoft\MS Juan
  • HKEY_LOCAL_MACHINE\Software\Microsoft\MS Juan\TrackDJuan
  • HKEY_LOCAL_MACHINE\Software\Microsoft\MS Track System
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

It can create the following mutex(es) to ensure that only one instance of itself is running in memory: 

  • F7EA7058-FF87-4b08-A6D8-B0F0C2A4E185
  • Global\VMProtectionMutex
  • Local\SysUpdIsRunningMutex
  • Local\VMMainMutex
  • lockable_mutex70AAC06A-E8B6
  • SysUpdProtectSynchronizeMutex

This trojan may disable anti-virus and anti-spyware applications on the affected machine, allowing pop-ups from some internet sites to be displayed.

It may also attempt to connect to the following IP addresses in order to download and execute arbitrary files:

  • 82.98.235.{removed}
  • 89.188.16.{removed}
  • 82.98.235.{removed}

The downloaded file(s) may be executed and hooked to start-up with the following registry key(s):

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<RANDOM string> "rundll32.exe" %Windir%\<6 random letters>.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Once

    • (Where %Windir% is the Windows directory e.g C:\Windows\ or C:\WINNT\)

     

    Symptoms

    Presence of previously mentioned registry keys/values and mutex(es)
    Accesses to or pop-ups from previously mentioned IP address or websites.

    Method of Infection

    Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

    Removal

    Use the latest Engine/Dats

    Variants

    Variants

      N/A

    All Information

    Overview -

    Vundo!7e18dec2 is a backdoor Trojan known to be associated with Adware and Trojan Downloader Virtumonde, and Vundo contains backdoor functionality that gives a user unauthorized access to an affected machine.

    Characteristics

    Characteristics -

    This variant of Vundo may be detected as Generic.dx in earlier DAT versions.

    This trojan typically uses random filename (e.g. ljJDvttq.dll) as created by its dropper. It then modifies the following registry entries to ensure it executes at each Windows start:

    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

    When run, it can inject and execute itself in the memory space of multiple running processes in Windows.

    It may also creates or modifies one or more of the following registry key(s):

    • HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C6039E6C-BDE9-4de5-BB40-768CAA584FDC}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C6039E6C-BDE9-4de5-BB40-768CAA584FDC}
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C6039E6C-BDE9-4de5-BB40-768CAA584FDC}
    • HKEY_LOCAL_MACHINE\Software\Microsoft\jn_tr_<8 random letters>
    • HKEY_LOCAL_MACHINE\Software\Microsoft\MS Juan
    • HKEY_LOCAL_MACHINE\Software\Microsoft\MS Juan\TrackDJuan
    • HKEY_LOCAL_MACHINE\Software\Microsoft\MS Track System
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

    It can create the following mutex(es) to ensure that only one instance of itself is running in memory: 

    • F7EA7058-FF87-4b08-A6D8-B0F0C2A4E185
    • Global\VMProtectionMutex
    • Local\SysUpdIsRunningMutex
    • Local\VMMainMutex
    • lockable_mutex70AAC06A-E8B6
    • SysUpdProtectSynchronizeMutex

    This trojan may disable anti-virus and anti-spyware applications on the affected machine, allowing pop-ups from some internet sites to be displayed.

    It may also attempt to connect to the following IP addresses in order to download and execute arbitrary files:

    • 82.98.235.{removed}
    • 89.188.16.{removed}
    • 82.98.235.{removed}

    The downloaded file(s) may be executed and hooked to start-up with the following registry key(s):

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<RANDOM string> "rundll32.exe" %Windir%\<6 random letters>.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Once

    • (Where %Windir% is the Windows directory e.g C:\Windows\ or C:\WINNT\)

     

    Symptoms

    Symptoms -

    Presence of previously mentioned registry keys/values and mutex(es)
    Accesses to or pop-ups from previously mentioned IP address or websites.

    Method of Infection

    Method of Infection -

    Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

    Removal -

    Removal -

    Use the latest Engine/Dats

    Variants

    Variants -

      N/A