Virus Detail

Win32.Vundo Family

Date Published:
15 Mar 2005

Last Updated:
21 Sep 2008

Threat Assessment

Overall Risk: Very Low

Wild: Medium

Destructiveness: Low

Pervasiveness: None

Characteristics

Type : Trojan

Category : Win32

Also known as: Adware-Virtumondo (McAfee), Win32/Vundo, Trojan.Vundo (Symantec), Win32/Vundo!generic, Win32.Vundo.A, TROJ_VUNDO.A (Trend), Win32.Vundo.AA, Win32.Vundo.AB, Win32.Vundo.AC, Win32.Vundo.AD, Win32.Vundo.AE, Win32.Vundo.AF, Win32.Vundo.AG, Win32.Vundo.AH, Win32.Vundo.AI, Win32.Vundo.AJ, Win32.Vundo.AK, Win32.Vundo.AL, Win32.Vundo.AM, Win32.Vundo.B, Win32.Vundo.C, Win32.Vundo.D, Win32.Vundo.E, Win32.Vundo.F, Win32.Vundo.G, Win32.Vundo.H, Win32.Vundo.I, Win32.Vundo.J, Win32.Vundo.K, Win32.Vundo.L, Win32.Vundo.M, Win32.Vundo.N, Win32.Vundo.O, Win32.Vundo.P, Win32.Vundo.Q, Win32.Vundo.R, Win32.Vundo.S, Win32.Vundo.T, Win32.Vundo.U, Win32.Vundo.V, Win32/Vundo.Variant!Trojan, Win32.Vundo.W, Win32.Vundo.X, Win32.Vundo.Y, Win32.Vundo.Z, Win32/VundoCryptorT!generic

Immediate Protection Info

Tools

Signature file information

Scan for viruses

Submit a Virus Sample

Description

Method of Infection

Payload

For additional information:

Description

Win32/Vundo is a large family of trojans that are associated with adware.

Method of Infection

Vundo variants typically use random filenames, however reports indicate that many variants of this increasingly large family are originally downloaded as bkinst.exe.

Current Vundo variants reported from the wild copy themselves and drop an executable file in one or more of the following subdirectories of the %Windows% directory:

addins/
AppPatch/
assembly/
Config/
Cursors/
Driver Cache/
Drivers/
Fonts/
Help/
inf/
java/
Microsoft.NET/
msagent/
Registration/
repair/
security/
ServicePackFiles/
Speech/
system/
system32/
Tasks/
Web/
Windows Update Setup Files/
Microsoft/

The file names are randomly generated by joining some of the following strings and appending .exe to the end:

abr
ac
acc
ad
anti
ap
as
av
bak
bas
bin
c
cab
cat
cmd
com
cr
db
disk
dll
dns
doc
dos
drv
dvd
eula
exp
fax
font
ftp
hard
iis
img
inet
info
ip
java
kb
key
lib
log
main
mc
mfc
mp3
ms
msvc
net
nut
odbc
ole
pc
play
ps
ras
reg
run
s
srv
svc
svr
sys
tapi
task
tcp
un
url
util
vb
vga
vss
w
wave
web
win
wms
xml

E.g. %Windows%\Cursors\wavedvd.exe

Vundo variants modify the following registry entries to ensure that their created copies execute at each Windows start:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The value name usually starts with a "*". For example:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\*MS Setup
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\*WinLogon

Vundo also drops a DLL in the %Temp% directory using the filename of the executable reversed with a .dat extension. For example, if the executable created is wavedvd.exe, Vundo would drop dvdevaw.dat in the %Temp% directory.

Note: %Temp% is a variable location and refers to the directory designated for temporary files. The malware determines the location of the current Temp folder by querying the operating system. A typical path is "C:\Documents and Settings\<username>\Local Settings\Temp", or "C:\WINDOWS\TEMP".

This DLL is registered as a service process and is used to protect the main executables. The DLL is injected randomly into any of the other running processes on the system. Although the main process is visible, if the process is terminated, it will be restarted from the system memory by the injected DLL process. Using the backup copy of the executable stored in memory, the process is able to re-create any files which are deleted.

The DLL also creates a BHO (Browser Helper Object) class in the registry that may appear similar to the following (for example):

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68132581-10F2-416E-B188-4E648075325A}

The executable also create a configuration file in its current directory, using its own filename backwards, with the extension .ini. For example: if the executable was dropper.exe it would create a configuration file named reppord.ini.

Vundo creates backup copies of the configuration file (should it exist) using the same filename, but with extensions .bak1 and .bak2.

Payload

Backdoor Functionality

Vundo attempts to download and execute files from the virtumonde.com domain, however some variants have also attempted to use remote servers on ports within the 62.4.84.* IP range.

Vundo opens up a backdoor which takes commands from a remote host. Current variants afford their controllers the following capabilities:

Block user access to particular sites by modifying the Windows hosts file
Show popups
Add/set/get cookies
Redirect URLs
Download files
Search browsed pages for keywords
Modify registry keys and values
Change controlling host address
Record and send browsing statistics
Log user input/alter user input

For additional information:

The files vmtemp.exe and vmtemp.dat may be used by some variants.

The following registry modifications may also be made:

HKLM\Software\Classes\CLSID\<randomly generated id>\ProgID = "ATLEvents.ATLEvents.1"
HKLM\Software\Classes\CLSID\<randomly generated id>\VersionIndependentProgID = "ATLEvents.ATLEvents"
HKLM\Software\Classes\CLSID\<randomly generated id>\Programmable
HKLM\Software\Classes\CLSID\<randomly generated id>\InprocServer32 = "%Temp%\<Dll File Name>"|
HKLM\Software\Classes\CLSID\<randomly generated id>\InprocServer32\ThreadingModel = "apartment"
HKLM\Software\Classes\CLSID\<randomly generated id>\AppID = ""
HKLM\Software\Classes\CLSID\<randomly generated id>\TypeLib = "{CLSID}"
HKCR\ATLEvents.ATLEvents.1 = "CATLEvents Object"
HKCR\ATLEvents.ATLEvents.1\CLSID = "{CLSID}"
HKCR\ATLEvents.ATLEvents = "CATLEvents Object"
HKCR\ATLEvents.ATLEvents\CLSID = "{CLSID}"
HKCR\ATLEvents.ATLEvents\CurVer = "ATLEvents.ATLEvents.1"

Analysis by Paul Taylor