VUNDO
Monder, Monderd, Virtum, Monderb
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
VUNDO is a family of Trojans, adware, and spyware first spotted in 2004. It usually arrives as a bundle of components, downloaded from malicious websites.
VUNDO is multi-component, meaning it has several files working to achieve its purpose - present pop-up advertisements on infected computers. Said advertisements may lead users to fraudulent websites or applications.
VUNDO malware are also capable of downloading other malware files. They commonly arrive on the system as a .DLL file that is installed as a BHO (browser helper object).
TECHNICAL DETAILS
Installation
This Trojan drops the following files:
- %System%\bb911232-.txt
- %System%\{Random}.dll
- %User Temp%\removalfile.bat
- {malware path}\{malware name}.ini
- {malware path}\{malware name}.ini2
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CLASSES_ROOT\CLSID\{random CLSID}\
InprocServer32
{default} = "{malware path}\{malware name}.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{random CLSID}\InprocServer32
{default} = "{malware path}\{malware name}.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random name} = "Rundll32.exe {malware path}\{malware name}.dll,s"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random name} = "Rundll32.exe "{malware path}\{malware name}.dll",a"
Other System Modifications
This Trojan adds the following registry keys:
HKEY_CLASSES_ROOT\CLSID\{random CLSID}
HKEY_CLASSES_ROOT\CLSID\{random CLSID}\
InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{random CLSID}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{random CLSID}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
FCOVM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
RemoveRP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
{random characters}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{random CLSID}
It adds the following registry entries:
HKEY_CLASSES_ROOT\CLSID\{random CLSID}\
InprocServer32
(Default) = "%System%\{random}.dll"
HKEY_CLASSES_ROOT\CLSID\{random CLSID}\
InprocServer32
ThreadingModel = "Both"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{random CLSID}\InprocServer32
ThreadingModel = "Both"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Windows
LoadAppInit_DLLs = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\{Random}
Asynchronous = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\{Random
DllName = "{Random}.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\{Random}
Impersonate = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\{Random}
Logoff = "Logoff"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\{Random}
Logon = "Logon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
SharedTaskScheduler
{random CLSID} = "jugezatag"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
ShellExecuteHooks
{random CLSID} = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\ShellServiceObjectDelayLoad
{random name} = "{random CLSID}"
It modifies the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Windows
AppInit_DLLs = "{malware path}\{malware name}.dll"
(Note: The default value data of the said registry entry is {blank}.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv
Start = "4"
(Note: The default value data of the said registry entry is 2.)
Other Details
This Trojan connects to the following possibly malicious URL:
- http://{BLOCKED}.{BLOCKED}.103.60/go//?cmp=vmtek_update&lid=run&uid={data}&guid={data}
- http://{BLOCKED}.{BLOCKED}.231.95/main/logo.html?sid={random}
- http://{BLOCKED}.{BLOCKED}.235.70/443
- http://{BLOCKED}.{BLOCKED}.115.146/info.png?cmp={data}&rid={data}&affid={data}&mid={data}&revid={data}&uid={uid}&guid={guid}&mrk=1&ver={data}
- http://{BLOCKED}.{BLOCKED}.166.138/32/32.dll?setid=an2g&affid={data}&uid=&rid=vm571&guid={guid}
- http://{BLOCKED}.{BLOCKED}.166.138/32/32.dll?setid={data}&affid={data}&uid={data}&rid={data}&guid={guid}
- http://{BLOCKED}.{BLOCKED}.169.55/i.exe?setid=an2g&affid={data}&uid=&rid=vm571&guid={guid}
- http://{BLOCKED}.{BLOCKED}.169.55/i.exe?setid={data}&affid={data}&uid=&rid={data}&guid={guid}