Home / malwarePDF  

Trojan:Win32/Vundo.gen!G


First posted on 16 March 2009.
Source: SecurityHome

Aliases :

There are no other names known for Trojan:Win32/Vundo.gen!G.

Explanation :

Win32/Vundo is a multiple-component family of programs that deliver 'out of context' pop-up advertisements. They may also download and execute arbitrary files. Vundo is often distributed as a DLL file and installed on an affected machine as a Browser Helper Object (BHO) without a user's consent. This family uses advanced defensive and stealth techniques to escape detection and to hinder removal.

Symptoms
System ChangesThe following system changes may indicate the presence of Win32/Vundo:

  • The display of 'out of context' advertisements, unrelated to web content being viewed by the affected user.
  • Presence of the following registry entries:
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftaldd
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftSysUpd
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{35F7813A-AF74-4474-B1DC-7EE6FB6C43C6}
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{39D2FC9B-041C-470E-AE72-F8C001247626}
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{52B1DFC7-AAFC-4362-B103-868B0683C697}
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{7BF451AC-2010-4804-B256-DB2F0A8D9EB6}
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{827DC836-DD9F-4A68-A602-5812EB50A834}
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{8DBF02DA-4360-4A7E-BEA1-347B87816327}
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{AF7FCAFB-9FDB-4F5E-BAC6-68BDEE61D6C6}
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{FC148228-87E1-4D00-AC06-58DCAA52A4D1}
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{B8B55274-0F9A-41E5-9067-A3539BD9E860}
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{CBE0D59D-F985-4AC6-8826- FEE957065D42}
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{5AEFF965-B1A9-4675-966A-26C2E812AD51}
    HKEY_CLASSES_ROOTMSEvents.MSEvents
    HKEY_CLASSES_ROOTMSEvents.MSEvents.1
    HKEY_CLASSES_ROOTpsapianalyzer.psapianalyzer.1
    HKEY_CLASSES_ROOTpsapianalyzer.psapianalyzer
    HKEY_CLASSES_ROOTMFCOptimizeClass.MFCOptimizeClass.1
    HKEY_CLASSES_ROOTMFCOptimizeClass.MFCOptimizeClass
    HKEY_CLASSES_ROOTRawExecAction.RawExecAction
    HKEY_CLASSES_ROOTRawExecAction.RawExecAction.1
    HKEY_CLASSES_ROOTiepl.iepl.1
    HKEY_CLASSES_ROOTiepl.iepl
    HKEY_CLASSES_ROOTATLDistrib.ATLDistrib.1
    HKEY_CLASSES_ROOTATLDistrib.ATLDistrib
    HKEY_CLASSES_ROOTWTLHelper.WTLHelper
    HKEY_CLASSES_ROOTWTLHelper.WTLHelper.1
    HKEY_CLASSES_ROOTDosSpecFolder.DosSpecFolder
    HKEY_CLASSES_ROOTDosSpecFolder.DosSpecFolder.1
    HKEY_CLASSES_ROOTDPCUpdater.DPCUpdater.1
    HKEY_CLASSES_ROOTDPCUpdater.DPCUpdater
    HKEY_CLASSES_ROOTADOUsefulNet.ADOUsefulNet
    HKEY_CLASSES_ROOTADOUsefulNet.ADOUsefulNet.1
    HKEY_CLASSES_ROOTInfoDocReader.InfoDocReader
    HKEY_CLASSES_ROOTInfoDocReader.InfoDocReader.1
    HKEY_CLASSES_ROOTATLEvents.ATLEvents.1
    HKEY_CLASSES_ROOTATLEvents.ATLEvents
    HKEY_LOCAL_MACHINESOFTWAREClassesMSEvents.MSEvents
    HKEY_LOCAL_MACHINESOFTWAREClassesMSEvents.MSEvents.1
    HKEY_LOCAL_MACHINESOFTWAREClassespsapianalyzer.psapianalyzer
    HKEY_LOCAL_MACHINESOFTWAREClassespsapianalyzer.psapianalyzer.1
    HKEY_LOCAL_MACHINESOFTWAREClassesMFCOptimizeClass.MFCOptimizeClass
    HKEY_LOCAL_MACHINESOFTWAREClassesMFCOptimizeClass.MFCOptimizeClass.1
    HKEY_LOCAL_MACHINESOFTWAREClassesRawExecAction.RawExecAction
    HKEY_LOCAL_MACHINESOFTWAREClassesRawExecAction.RawExecAction.1
    HKEY_LOCAL_MACHINESOFTWAREClassesiepl.iepl
    HKEY_LOCAL_MACHINESOFTWAREClassesiepl.iepl.1
    HKEY_LOCAL_MACHINESOFTWAREClassesATLDistrib.ATLDistrib
    HKEY_LOCAL_MACHINESOFTWAREClassesATLDistrib.ATLDistrib.1
    HKEY_LOCAL_MACHINESOFTWAREClassesWTLHelper.WTLHelper
    HKEY_LOCAL_MACHINESOFTWAREClassesWTLHelper.WTLHelper.1
    HKEY_LOCAL_MACHINESOFTWAREClassesDosSpecFolder.DosSpecFolder
    HKEY_LOCAL_MACHINESOFTWAREClassesDosSpecFolder.DosSpecFolder.1
    HKEY_LOCAL_MACHINESOFTWAREClassesDPCUpdater.DPCUpdater
    HKEY_LOCAL_MACHINESOFTWAREClassesDPCUpdater.DPCUpdater.1
    HKEY_LOCAL_MACHINESOFTWAREClassesADOUsefulNet.ADOUsefulNet
    HKEY_LOCAL_MACHINESOFTWAREClassesADOUsefulNet.ADOUsefulNet.1
    HKEY_LOCAL_MACHINESOFTWAREClassesInfoDocReader.InfoDocReader
    HKEY_LOCAL_MACHINESOFTWAREClassesInfoDocReader.InfoDocReader.1
    HKEY_LOCAL_MACHINESOFTWAREClassesATLEvents.ATLEvents
    HKEY_LOCAL_MACHINESOFTWAREClassesATLEvents.ATLEvents.1


    • Win32/Vundo is a multiple-component family of programs that deliver 'out of context' pop-up advertisements. They may also download and execute arbitrary files. Vundo is often distributed as a DLL file and installed on an affected machine as a Browser Helper Object (BHO) without a user's consent. This family uses advanced defensive and stealth techniques to escape detection and to hinder removal. Please see our detailed Win32/Vundo family analysis elsewhere in this encyclopedia for additional information.

    Last update 16 March 2009

     

    TOP

    Malware :

    Family: