Win32/Vundo is a multiple-component family of programs that deliver 'out of context' pop-up advertisements. They may also download and execute arbitrary files. Win32/Vundo is often distributed as a DLL file and installed on a computer as a Browser Helper Object (BHO) without a user's consent. The Vundo family uses advanced defensive and stealth techniques to escape detection and to hinder removal.
Installation
When executed, Trojan:Win32/Vundo.FZ connects to the domain 'regters.com' to download additional data. Several data files are created in the same location, using the same name but with the following file extensions (as opposed to '.dll'):
If it's not executed using rundll32.exe it spawns a new instance of itself using the command line:
Win32/Vundo may modify the registry to execute its copy at each Windows start, for example:
Adds value: <random hex value>
With data: <trojan path and filename.dll>
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Payload
Win32/Vundo is coded to deliver 'out of context' advertisements, however, it may take a number of additional actions in order to satisfy this purpose, including modifying Internet and security settings and sending information from the infected system to a remote server.
Modifies Browser Behavior
Win32/Vundo may redirect URLs entered by the user to predefined URLs. Also, when particular URLs are visited by a user, Win32/Vundo may disable the display of pop-ups. This is possibly an "anti-competitive" measure, as the list of targeted URLs contains a number of popular search engines and domain names associated with ad-servers, for example:
-
yahoo.com
-
search.ebay.com
-
web.ask.com
-
banners.pennyweb.com
-
ads2.revenue.net
-
www2.yesadvertising.com
-
images.trafficmp.com
-
z1.adserver.com
-
ads1.revenue.net
-
ads.doubleclick.net
-
ads.180solutions.com
Modifies System Security Settings
Win32/Vundo makes the following registry modification in an attempt to bypass firewalls:
Sets value: "ProxyBypass"
With data: "1"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
Sends Information to Remote Server
Win32/Vundo may gather and send the following information from the machine to a remote server:
Additional Information
Win32/Vundo has been observed using encryption techniques in order to obfuscate its communications with remote sites.
This family may create the following registry entries in which to store data:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aldd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa
The Win32/Vundo family is closely associated with the Win32/Virtumonde and Win32/Conhook families.
Analysis by Marian Radu and Jaime Wong