Follow:

 

Trojan:Win32/Vundo.gen!AN


Trojan:Win32/Vundo.gen!AN is a generic detection for a trojan that injects its code into running processes and downloads and executes arbitrary files, which may include additional malware.


What to do now

Manual removal is not recommended for this threat. Use Microsoft Security Essentials or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.

Threat behavior

Trojan:Win32/Vundo.gen!AN is a generic detection for a trojan that injects its code into running processes and downloads and executes arbitrary files, which may include additional malware.
 
Installation
Upon execution, Trojan:Win32/Vundo.gen!AN creates some of the following mutexes:
 
vmc_ue
vmc_mm
vmc_me
vmc_term
vmc_pe
vmc_pi
vmc_pp
vmc_pa
 
It then copies itself to the Windows system folder using the following file name format:
__C00F<3 to 5 random characters>.dat
__A00F<3 to 5 random characters >.exe
 
Below are examples of file names used by this trojan:
<system folder>\__c0088a00.dat
<system folder>\__A00F806.exe
 
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
 
It then modifies the system registry so that the threat is executed when Windows starts:
 
Adds value: "AppInit_DLLs"
With data: "<system folder>\<malware>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
 
Adds value: "<malware>"
With data: "<system folder>\<malware name>"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 
<malware> is the dropped threat.
 
For example:
 
Adds value: "AppInit_DLLs"
With data: "<system folder>\__ A00F806.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
 
Adds value: "A00F806.exe "
With data: "<system folder>\__ A00F806.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 
 
It also creates the following registry keys and entries so that the dropped threat is installed as a Winlogon notification package:
 
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\<malware>
 
Adds value: "Asynchronous"
With data: "0x00000001"
To subkey: HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\<malware>
 
Adds value: "DllName"
With data: "<system folder>\<malware name>"
To subkey: HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\<malware>
 
Adds value: "Impersonate"
With data: "0x00000000"
To subkey: HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\<malware>
 
Adds value: "Startup"
With data: "B"
To subkey: HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\<malware>
 
Adds value: "Logon"
With data: "B"
To subkey: HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\<malware>
 
It also creates remote threads in the following system processes:
services.exe
winlogon.exe
explorer.exe
iexplorer.exe
msmsgs.exe
dllhost.exe
 
Payload
Downloads Arbitrary Files
Trojan:Win32/Vundo.gen!AN attempts to download files from the Web server 'x2.0ups.com'.
 
Analysis by Huzefa Mogri

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).

Prevention


Alert level: Severe
First detected by definition: 1.45.1317.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Nov 01, 2008
This entry was first published on: Feb 27, 2009
This entry was updated on: May 20, 2010

This threat is also detected as:
  • Vundo (McAfee)