Follow:

 

Trojan:Win32/Vundo.gen!P


Win32/Vundo is a multiple-component family of programs that deliver 'out of context' pop-up advertisements. They may also download and execute arbitrary files.
Vundo is often distributed as a DLL file and installed on an affected machine as a Browser Helper Object (BHO) without a user's consent. This family uses advanced defensive and stealth techniques to escape detection and to hinder removal.


What to do now

Manual removal is not recommended for this threat. Use Microsoft Security Essentials or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.

Threat behavior

Win32/Vundo is a multiple-component family of programs that deliver 'out of context' pop-up advertisements. They may also download and execute arbitrary files.
Vundo is often distributed as a DLL file and installed on an affected machine as a Browser Helper Object (BHO) without a user's consent. This family uses advanced defensive and stealth techniques to escape detection and to hinder removal.
 
Please see our detailed Win32/Vundo family analysis elsewhere in this encyclopedia for additional information.

Symptoms

System Changes
The following system changes may indicate the presence of Win32/Vundo:
  • The display of 'out of context' advertisements, unrelated to web content being viewed by the affected user.
  • Presence of the following registry entries:
    HKLM\SOFTWARE\Microsoft\aldd
    HKLM\SOFTWARE\Microsoft\SysUpd
    HKLM\SOFTWARE\Classes\CLSID\{35F7813A-AF74-4474-B1DC-7EE6FB6C43C6}
    HKLM\SOFTWARE\Classes\CLSID\{39D2FC9B-041C-470E-AE72-F8C001247626}
    HKLM\SOFTWARE\Classes\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}
    HKLM\SOFTWARE\Classes\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}
    HKLM\SOFTWARE\Classes\CLSID\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}
    HKLM\SOFTWARE\Classes\CLSID\{7BF451AC-2010-4804-B256-DB2F0A8D9EB6}
    HKLM\SOFTWARE\Classes\CLSID\{827DC836-DD9F-4A68-A602-5812EB50A834}
    HKLM\SOFTWARE\Classes\CLSID\{8DBF02DA-4360-4A7E-BEA1-347B87816327}
    HKLM\SOFTWARE\Classes\CLSID\{AF7FCAFB-9FDB-4F5E-BAC6-68BDEE61D6C6}
    HKLM\SOFTWARE\Classes\CLSID\{FC148228-87E1-4D00-AC06-58DCAA52A4D1}
    HKLM\SOFTWARE\Classes\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}
    HKLM\SOFTWARE\Classes\CLSID\{CBE0D59D-F985-4AC6-8826- FEE957065D42}
    HKLM\SOFTWARE\Classes\CLSID\{5AEFF965-B1A9-4675-966A-26C2E812AD51}
    HKCR\MSEvents.MSEvents
    HKCR\MSEvents.MSEvents.1
    HKCR\psapianalyzer.psapianalyzer.1
    HKCR\psapianalyzer.psapianalyzer
    HKCR\MFCOptimizeClass.MFCOptimizeClass.1
    HKCR\MFCOptimizeClass.MFCOptimizeClass
    HKCR\RawExecAction.RawExecAction
    HKCR\RawExecAction.RawExecAction.1
    HKCR\iepl.iepl.1
    HKCR\iepl.iepl
    HKCR\ATLDistrib.ATLDistrib.1
    HKCR\ATLDistrib.ATLDistrib
    HKCR\WTLHelper.WTLHelper
    HKCR\WTLHelper.WTLHelper.1
    HKCR\DosSpecFolder.DosSpecFolder
    HKCR\DosSpecFolder.DosSpecFolder.1
    HKCR\DPCUpdater.DPCUpdater.1
    HKCR\DPCUpdater.DPCUpdater
    HKCR\ADOUsefulNet.ADOUsefulNet
    HKCR\ADOUsefulNet.ADOUsefulNet.1
    HKCR\InfoDocReader.InfoDocReader
    HKCR\InfoDocReader.InfoDocReader.1
    HKCR\ATLEvents.ATLEvents.1
    HKCR\ATLEvents.ATLEvents
    HKLM\SOFTWARE\Classes\MSEvents.MSEvents
    HKLM\SOFTWARE\Classes\MSEvents.MSEvents.1
    HKLM\SOFTWARE\Classes\psapianalyzer.psapianalyzer
    HKLM\SOFTWARE\Classes\psapianalyzer.psapianalyzer.1
    HKLM\SOFTWARE\Classes\MFCOptimizeClass.MFCOptimizeClass
    HKLM\SOFTWARE\Classes\MFCOptimizeClass.MFCOptimizeClass.1
    HKLM\SOFTWARE\Classes\RawExecAction.RawExecAction
    HKLM\SOFTWARE\Classes\RawExecAction.RawExecAction.1
    HKLM\SOFTWARE\Classes\iepl.iepl
    HKLM\SOFTWARE\Classes\iepl.iepl.1
    HKLM\SOFTWARE\Classes\ATLDistrib.ATLDistrib
    HKLM\SOFTWARE\Classes\ATLDistrib.ATLDistrib.1
    HKLM\SOFTWARE\Classes\WTLHelper.WTLHelper
    HKLM\SOFTWARE\Classes\WTLHelper.WTLHelper.1
    HKLM\SOFTWARE\Classes\DosSpecFolder.DosSpecFolder
    HKLM\SOFTWARE\Classes\DosSpecFolder.DosSpecFolder.1
    HKLM\SOFTWARE\Classes\DPCUpdater.DPCUpdater
    HKLM\SOFTWARE\Classes\DPCUpdater.DPCUpdater.1
    HKLM\SOFTWARE\Classes\ADOUsefulNet.ADOUsefulNet
    HKLM\SOFTWARE\Classes\ADOUsefulNet.ADOUsefulNet.1
    HKLM\SOFTWARE\Classes\InfoDocReader.InfoDocReader
    HKLM\SOFTWARE\Classes\InfoDocReader.InfoDocReader.1
    HKLM\SOFTWARE\Classes\ATLEvents.ATLEvents
    HKLM\SOFTWARE\Classes\ATLEvents.ATLEvents.1
  • Presence of the  mutex 'SysUpdIsRunningMutex' .

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.45.287.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Jul 15, 2008
This entry was updated on: May 20, 2010

This threat is also detected as:
No known aliases