Win32/Vundo

Installation

Members of the Win32/Vundo family can infect your PC in a number of different ways. They often use multiple components of the family all working at once.

The initial component may come via drive-by downloads pretending to be legitimate programs, as "trojanized" installers or via exploits.

We have observed the following exploits detected alongside Win32/Vundo infections:

• CVE-2008-5353
• CVE-2009-3867
• CVE-2009-3869
• CVE-2010-0094
• CVE-2010-0188
• CVE-2010-0840
• CVE-2010-0842
• CVE-2010-1297
• CVE-2010-4452
• CVE-2011-1823
• CVE-2011-3521
• CVE-2011-3544
• CVE-2012-0056
• CVE-2012-0507
• CVE-2012-1723
• CVE-2012-4621
• CVE-2012-4681
• CVE-2012-5076
• CVE-2013-0422
• CVE-2013-0431
• CVE-2013-1493
• CVE-2013-2423

We have observed the following file names being used by the Win32/Vundo family:

• directx 8 0 genuine licence.exe
• dragon_software no serial(crack).exe
• gta san andrea el juego genuine advantage validation.exe
• juego para pc de san andres sharereactor com.exe
• juegos para pc de counter strike 1 6 no steam crack(no cd).exe
• minitab 15 licence keygen.exe
• need for speed most wanted para pc spanish sharereactor com.exe
• resident evil 3 nemesis para pc crack.exe
• Setup.exe
• wifislax 3 1 spanish crack.exe

These file names indicate that Win32/Vundo might attempt to use social engineering to trick you into downloading the malware, thinking it was something else.

Some variants of Win32/Vundo, such as Worm:Win32/Vundo.A, are known to spread through network drives.

Variants of Win32/Vundo might use dropper or downloader executable components, which might be detected with the following names:

• Trojan:Win32/Vundo.gen!AW
• Trojan:Win32/Vundo.HIY
• Trojan:Win32/Vundo.OD
• Trojan:Win32/Vundo.QA
• TrojanDropper:Win32/Vundo.A
• TrojanDropper:Win32/Vundo.B
• TrojanDownloader:Win32/Vundo
• TrojanDownloader:Win32/Vundo.J

We have observed the dropper or downloader components being saved to the following locations:

• In the %windir% folder as:
• addins
• AppPatch
• assembly
• Config
• Cursors
• Driver Cache
• Drivers
• Fonts
• Help
• inf
• java
• Microsoft
• Microsoft.NET
• msagent
• Registration
• repair
• security
• ServicePackFiles
• Speech
• system
• system32
• Tasks
• Web
• Windows Update Setup File
• %APPDATA% \Microsoft

Newer and prevalent variants of the family (such as Trojan:Win32/Vundo.ZJ and Trojan:Win32/Vundo.ZL) install themselves with file names such as:

• lsass.exe
• netprotdrvss.exe
• netprotocol.exe
• taskhost.exe

Variants of Win32/Vundo might modify the following registry entries to ensure the executable components run each time you start your PC:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<variant's file name without extension>", for example "Netprotocol"
With data: "<variant's file location>", for example "%APPDATA%\netprotocol.exe"

Win32/Vundo might also be installed as a BHO or DLL component by a downloader or dropper component.

If a downloader component is used (such as Trojan:Win32/Vundo.gen!AW or Trojan:Win32/Vundo.QA), it downloads a DLL component (for example, TrojanDownloader:Win32/Vundo.J) that it saves with a file name that can be randomly generated or created using any two of the following strings:

For example, sysnet.dll.

Win32/Vundo might modify the following registry entry to load the newly created DLL whenever you start your PC or Internet Explorer:

In subkey: HKLM\SOFTWARE\Classes\CLSID\<unique CLSID that varies with each variant>
Sets value: "InprocServer32"
With data: "<location and file name of DLL component>"

For example:

In subkey: HKLM\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
Sets value: "InprocServer32"
With data: "%windir%\system32\fccywxv.dll"

The variant might also modify the following registry entry to ensure the DLL is run each time you start your PC:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "AppInit_DLLs"
With data: "<variant's folder and file name>", for example "<system folder>\<random file name>.dll"

In some variants, several data files are also created in the same location as the DLL file, using the same name but with the following file extensions (as opposed to .dll):

• .bak1
• .bak2
• .ini
• .ini2
• .log
• .tmp

For example:

• sysnet.ini
• sysnet.log
• sysnet.tmp

These files contain an encrypted, unique number that is generated by the malware that might be used to identify each infected PC.

Variants of Win32/Vundo can also install a DLL file with a randomly generated file name in the following folders:

• %APPDATA%
• %APPDATA%\Microsoft
• <system folder>

Win32/Vundo might also modify the following registry entry to load the malware at startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks  

It may also make further modifications to load the program during events such as logon and logoff, for example:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\<random name of module>

To protect itself from being deleted by security software, the trojan might monitor and modify the registry entry HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations to rename its file name when your PC restarts.

Variants of Win32/Vundo, such as Trojan:Win32/Vundo.AF and Trojan:Win32/Vundo.gen, might create a mutex called SysUpdIsRunningMutex to prevent multiple instances of the variant from running.

Win32/Vundo may also inject its code into the following processes if they are found to be running on your computer, possibly to stop or alter the functionality of the process, which may be related to antimalware software:

• Ad-aware.exe
• Hijackthis.exe
• Wrsssdk.exe

Spreads via...

Network and removable drives

The worm variants of Win32/Vundo, such as Worm:Win32/Vundo.A, are known to spread through network and removable drives by creating the following copies of themselves on removable drives:

• <removable drive>:\\<random>\<random>.dll
• <removable drive>:\\<random>.dll

It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files contain instructions for the operating system so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.

This is particularly common malware behavior, generally used in order to spread malware from PC to PC.

It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation media.

Payload

Displays advertisements

Variants of Win32/Vundo have been observed contacting a number of IP addresses and particular domains to access the advertising material that they display. For example, in the wild variants have been observed to connect to the following IP addresses:

• 207.226.179.18
• 62.4.84.56
• 65.243.103.52
• 65.54.225.100
• 69.31.80.179
• 69.31.80.180
• 72.247.31.80
• 82.98.235.210
• 82.98.235.216
• 89.188.16.22

Later variants, such as Trojan:Win32/Vundo.QA and Trojan:Win32/Vundo.gen!AW, may connect to the following HTTP servers on port 80:

• ebyis.be
• eksyghskgsbakrys.com
• imeret.be
• intonwe.be
• klonesat.net
• louqwesas.com
• mopiiueus.com
• msrgejsdyvekadh.com
• rmyals.net
• rygus.be
• thsaw.be
• zeqsmmiwj3d.com

In particular, variants of Win32/Vundo such as Trojan:Win32/Vundo.AF and Trojan:Win32/Vundo.gen have been observed displaying pop-ups that promote the following rogue security sites:

• antivirussecuritypro.com
• drivecleaner.com
• sysprotect.com
• systemdoctor.com
• winantivirus.com
• winantiviruspro.com

Downloads and runs other files

Variants of Win32/Vundo such as Trojan:Win32/Vundo.QA and Trojan:Win32/Vundo.gen!AW might also attempt to download and run files from the servers they contact in the Displays advertisements payload. After downloading the files, the variant runs the files on your PC. These files may include updates or additional components.  

Stops security services

Variants of Win32/Vundo may end or stop services associated with the following security-related applications:

• Ad-Aware
• Microsoft Giant/Antispyware (this is an old Microsoft antimalware product that is no longer supported)
• Spyware Doctor

Variants may also make the following registry modification in an attempt to bypass firewalls:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Sets value: ProxyBypass
With data: "1"

This includes the following variants:

• Trojan:Win32/Vundo.FJ  
• Trojan:Win32/Vundo.gen!A
• Trojan:Win32/Vundo.gen!AW
• Trojan:Win32/Vundo.gen!CD
• Trojan:Win32/Vundo.gen!D
• Trojan:Win32/Vundo.HIY
• Trojan:Win32/Vundo.K  
• Trojan:Win32/Vundo.KO  
• Trojan:Win32/Vundo.KT  
• Trojan:Win32/Vundo.QA  
• Trojan:Win32/Vundo.RJ  
• TrojanDownloader:Win32/Vundo.K  

Later variants of Win32/Vundo, such as those detected as Trojan:Win32/Vundo, have been observed attempting to disable the Windows Autoupdate service (called wuauserv). These variants might also check if the Microsoft Malicious Software Removal Tool (mrt.exe) is running and close it.

Win32/Vundo might also attempt to shut down the McAfee Common Framework service.

Modifies browser behavior

Variants of the family, such as Trojan:Win32/Vundo.K, might redirect certain URLs to others of their own choosing, including search engines such as webvolta.ru. They can also disable pop-ups from certain advertising-related or advertising-supported sites when you visit them, such as the following:

• ads.180solutions.com
• ads.doubleclick.net
• ads1.revenue.net
• ads2.revenue.net
• banners.pennyweb.com
• images.trafficmp.com
• search.ebay.com
• web.ask.com
• www2.yesadvertising.com
• yahoo.com
• z1.adserver.com

Win32/Vundo also disables pop-ups if a targeted URL contains mil or gov in the domain.

Sends information to a remote server

Variants of the family might gather and send information from your PC to a remote server. We have observed the following variants displaying this behavior:

• Trojan:Win32/Vundo.AF  
• Trojan:Win32/Vundo.AX
• Trojan:Win32/Vundo.BI
• Trojan:Win32/Vundo.CK
• Trojan:Win32/Vundo.FZ
• TrojanDownloader:Win32/Vundo.J  

We have seen the variants sending the following information:

• Information about Outlook Express accounts such as name, mailing address, email address and phone number
• Information gathered from the registry subkey HKLM\Software\Microsoft\Internet Account Manager\Accounts
• POP3 and SMTP user names from Outlook Express 
• Registered owner of Windows
• Operating system version/build number
• Network adapter information, including:
• Adapter name
• Description
• Address
• Current IP address
• IP address list
• Gateway list
• DHCP server
• Primary Wins server
• Secondary Wins server
• MAC address of your computer
• Keyboard layout
• Time when Win32/Vundo was installed on your computer
• A log of Win32/Vundo crashes
• Volume serial number

For example, we have observed TrojanDownloader:Win32/Vundo.J sending information to the following servers:

• 91.220.35.154
• 91.233.89.106
• 91.233.89.59
• clickbeta.ru
• clickclans.ru
• clickstano.com
• debijonda.com
• degoog1etag.com
• denadb.com
• denareclick.com
• dentagod.com
• ferimonra.com
• fescheck.com
• flersomstk.com
• foradns.com
• getavodes.com
• getinball.com
• getintsu.com
• gleospond.com
• instrango.com
• inzavora.com
• jestimana.com
• kndericond.com
• kndeszip.com
• knockdast.com
• knriseserf.com
• liteworns.com
• netrovad.com
• nshouse1.com
• nsknock.com
• odobvare.com
• recondamun.com
• recondastan.com
• recondoin.com
• tegimode.com
• terrans.su
• testisto.com
• theloamva.com
• tryangets.com
• tryatdns.com
• vengibit.com
• veriostk.com
• veroconma.com
• vornedix.com

Additional information

In the wild, we have observed variants of Win32/Vundo bundled with rogue security products, for example, it has been observed being bundled with Evidence Eraser Pro, which is distributed by Win32/Virtumonde.

Some variants of Win32/Vundo, such as Trojan:Win32/Vundo.KO and Trojan:Win32/Vundo.gen!AJ, are dropped by variants of the Win32/Prolaco family, such as Worm:Win32/Prolaco.gen!C, which are themselves dropped by variants of Virus:Win32/Prolaco, such as Virus:Win32/Prolaco.AW, Virus:Win32/Prolaco.AP and Virus:Win32/Prolaco.AR.

Variants of the family have also been observed using encryption techniques in order to obfuscate their communication with remote sites, including Trojan:Win32/Vundo.AX, Trojan:Win32/Vundo.BH, and Trojan:Win32/Vundo.FZ.

The family may create the following registry entries to store data or use machine-specific information to compute where to store data on your PC:

Some Win32/Vundo variants may use a list of hard-coded registry keys, such as the following to store data on your PC:

• HKLM\SOFTWARE\Microsoft\aldd
• HKLM\SOFTWARE\Microsoft\SysUpd

Other variants, such as Trojan:Win32/Vundo, TrojanDropper:Win32/Vundo.R, TrojanDownloader:Win32/Vundo, and Trojan:Win32/Vundo.gen!CD, may aggregate your PC's system disk volume serial number and folder creation date and time to hash and generate a string which will be used as the name of the registry key into which they store data.

The stored data may be a malicious executable component of Win32/Vundo that is also uniquely encrypted using the generated string and RC4 or TEA encryption algorithms.

The Win32/Vundo family is closely associated with the Win32/Virtumonde and Win32/Conhook families, which together may install other variants of each other.

Analysis by Jaime Wong and Jireh Sanico