Follow:

 

Win32/Vundo


Microsoft security software detects and removes this threat.
 
Win32/Vundo  is a multiple-component family of malware that delivers "out of context" pop-up advertisements. Variants of the family may also download and run other files, including malware and adware.

Vundo is often installed as a browser helper object (BHO) without your consent, by other malware.

This family uses advanced defensive and stealth techniques to escape detection and to hinder removal. 



What to do now

 The following Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

 

This threat tries to steal your sensitive and confidential information. You should change your passwords after you've removed this threat:

 

 

Recovering from recurring infections on a network

You might need to take the following steps to completely remove this threat from an infected network, and to stop infections from recurring from this and other similar types of network-spreading malware:

  1. Ensure that an antivirus product is installed on ALL computers connected to the network that can access or host shares
  2. Ensure that all available network shares are scanned with an up-to-date antivirus product
  3. Restrict permissions as appropriate for network shares on your network. See Use Access Control to restrict who can use files for more information.
  4. Remove any unnecessary network shares or mapped drives

Note: You might also need to temporarily change the permission on network shares to read-only until the disinfection process is complete.

Disable Autorun functionality

This threat tries to use the Windows Autorun function to spread via removable drives, such as USB flash drives. This is a common malware behavior. You can find out how to turn off this feature in the article How to disable the Autorun functionality in Windows.

Update vulnerable applications

This threat may be distributed through exploits. After removing this threat, make sure that you install all available updates for your PC.

Additional remediation instructions for Win32/Vundo

This threat can make lasting changes to your PC's configuration that are not restored by detecting and removing this threat. There is more information about returning an infected PC to its pre-infected state in the following articles:

Threat behavior

Installation

Members of the Win32/Vundo family can infect your PC in a number of different ways. They often use multiple components of the family all working at once.

The initial component may come via drive-by downloads pretending to be legitimate programs, as "trojanized" installers or via exploits.

We have observed the following exploits detected alongside Win32/Vundo infections:

We have observed the following file names being used by the Win32/Vundo family:

  • directx 8 0 genuine licence.exe
  • dragon_software no serial(crack).exe
  • gta san andrea el juego genuine advantage validation.exe
  • juego para pc de san andres sharereactor com.exe
  • juegos para pc de counter strike 1 6 no steam crack(no cd).exe
  • minitab 15 licence keygen.exe
  • need for speed most wanted para pc spanish sharereactor com.exe
  • resident evil 3 nemesis para pc crack.exe
  • Setup.exe
  • wifislax 3 1 spanish crack.exe

These file names indicate that Win32/Vundo might attempt to use social engineering to trick you into downloading the malware, thinking it was something else.

Some variants of Win32/Vundo, such as Worm:Win32/Vundo.A, are known to spread through network drives.

Variants of Win32/Vundo might use dropper or downloader executable components, which might be detected with the following names:

We have observed the dropper or downloader components being saved to the following locations:

  • In the %windir% folder as:
    • addins
    • AppPatch
    • assembly
    • Config
    • Cursors
    • Driver Cache
    • Drivers
    • Fonts
    • Help
    • inf
    • java
    • Microsoft
    • Microsoft.NET
    • msagent
    • Registration
    • repair
    • security
    • ServicePackFiles
    • Speech
    • system
    • system32
    • Tasks
    • Web
    • Windows Update Setup File
  • %APPDATA% \Microsoft

Newer and prevalent variants of the family (such as Trojan:Win32/Vundo.ZJ and Trojan:Win32/Vundo.ZL) install themselves with file names such as:

  • lsass.exe
  • netprotdrvss.exe
  • netprotocol.exe
  • taskhost.exe

Variants of Win32/Vundo might modify the following registry entries to ensure the executable components run each time you start your PC:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<variant's file name without extension>", for example "Netprotocol"
With data: "<variant's file location>", for example "%APPDATA%\netprotocol.exe"

Win32/Vundo might also be installed as a BHO or DLL component by a downloader or dropper component.

If a downloader component is used (such as Trojan:Win32/Vundo.gen!AW or Trojan:Win32/Vundo.QA), it downloads a DLL component (for example, TrojanDownloader:Win32/Vundo.J) that it saves with a file name that can be randomly generated or created using any two of the following strings:

  • abr
  • ac
  • acc
  • ad
  • anti
  • ap
  • as
  • av
  • bak
  • bas
  • bin
  • cab
  • cat
  • cmd
  • com
  • cr
  • db
  • disk
  • dll
  • dns
  • doc
  • dos
  • drv
  • dvd
  • eula
  • exp
  • fax
  • font
  • ftp
  • hard
  • iis
  • img
  • inet
  • info
  • ip
  • java
  • kb
  • key
  • lib
  • log
  • main
  • mc
  • mfc
  • mp3
  • ms
  • msvc
  • net
  • nut
  • odbc
  • ole
  • pc
  • play
  • ps
  • ras
  • reg
  • run
  • srv
  • svc
  • svr
  • sys
  • tapi
  • task
  • tcp
  • tem
  • un
  • url
  • util
  • vb
  • vga
  • vss
  • w
  • wave
  • web
  • win
  • wms
  • xml

For example, sysnet.dll.

Win32/Vundo might modify the following registry entry to load the newly created DLL whenever you start your PC or Internet Explorer:

In subkey: HKLM\SOFTWARE\Classes\CLSID\<unique CLSID that varies with each variant>
Sets value: "InprocServer32"
With data: "<location and file name of DLL component>"

For example:

In subkey: HKLM\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
Sets value: "InprocServer32"
With data: "%windir%\system32\fccywxv.dll"

The variant might also modify the following registry entry to ensure the DLL is run each time you start your PC:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "AppInit_DLLs"
With data: "<variant's folder and file name>", for example "<system folder>\<random file name>.dll"

In some variants, several data files are also created in the same location as the DLL file, using the same name but with the following file extensions (as opposed to .dll):

  • .bak1
  • .bak2
  • .ini
  • .ini2
  • .log
  • .tmp

For example:

  • sysnet.ini
  • sysnet.log
  • sysnet.tmp

These files contain an encrypted, unique number that is generated by the malware that might be used to identify each infected PC.

Variants of Win32/Vundo can also install a DLL file with a randomly generated file name in the following folders:

Win32/Vundo might also modify the following registry entry to load the malware at startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks  

It may also make further modifications to load the program during events such as logon and logoff, for example:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\<random name of module>

To protect itself from being deleted by security software, the trojan might monitor and modify the registry entry HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations to rename its file name when your PC restarts.

Variants of Win32/Vundo, such as Trojan:Win32/Vundo.AF and Trojan:Win32/Vundo.gen, might create a mutex called SysUpdIsRunningMutex to prevent multiple instances of the variant from running.

Win32/Vundo  may also inject its code into the following processes if they are found to be running on your computer, possibly to stop or alter the functionality of the process, which may be related to antimalware software:

  • Ad-aware.exe
  • Hijackthis.exe
  • Wrsssdk.exe
Spreads via...

Network and removable drives

The worm variants of Win32/Vundo, such as Worm:Win32/Vundo.A, are known to spread through network and removable drives by creating the following copies of themselves on removable drives:

  • <removable drive>:\\<random>\<random>.dll
  • <removable drive>:\\<random>.dll

It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files contain instructions for the operating system so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.

This is particularly common malware behavior, generally used in order to spread malware from PC to PC.

It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation media.

Payload

Displays advertisements

Variants of Win32/Vundo have been observed contacting a number of IP addresses and particular domains to access the advertising material that they display. For example, in the wild variants have been observed to connect to the following IP addresses:

  • 207.226.179.18
  • 62.4.84.56
  • 65.243.103.52
  • 65.54.225.100
  • 69.31.80.179
  • 69.31.80.180
  • 72.247.31.80
  • 82.98.235.210
  • 82.98.235.216
  • 89.188.16.22

Later variants, such as Trojan:Win32/Vundo.QA and Trojan:Win32/Vundo.gen!AW, may connect to the following HTTP servers on port 80:

  • ebyis.be
  • eksyghskgsbakrys.com
  • imeret.be
  • intonwe.be
  • klonesat.net
  • louqwesas.com
  • mopiiueus.com
  • msrgejsdyvekadh.com
  • rmyals.net
  • rygus.be
  • thsaw.be
  • zeqsmmiwj3d.com

In particular, variants of Win32/Vundo such as Trojan:Win32/Vundo.AF and Trojan:Win32/Vundo.gen have been observed displaying pop-ups that promote the following rogue security sites:

  • antivirussecuritypro.com
  • drivecleaner.com
  • sysprotect.com
  • systemdoctor.com
  • winantivirus.com
  • winantiviruspro.com

Downloads and runs other files

Variants of Win32/Vundo such as Trojan:Win32/Vundo.QA and Trojan:Win32/Vundo.gen!AW might also attempt to download and run files from the servers they contact in the Displays advertisements payload. After downloading the files, the variant runs the files on your PC. These files may include updates or additional components.  

Stops security services

Variants of Win32/Vundo may end or stop services associated with the following security-related applications:

  • Ad-Aware
  • Microsoft Giant/Antispyware (this is an old Microsoft antimalware product that is no longer supported)
  • Spyware Doctor

Variants may also make the following registry modification in an attempt to bypass firewalls:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Sets value: ProxyBypass
With data: "1"

This includes the following variants:

Later variants of Win32/Vundo, such as those detected as Trojan:Win32/Vundo, have been observed attempting to disable the Windows Autoupdate service (called wuauserv). These variants might also check if the Microsoft Malicious Software Removal Tool (mrt.exe) is running and close it.

Win32/Vundo might also attempt to shut down the McAfee Common Framework service.

Modifies browser behavior

Variants of the family, such as Trojan:Win32/Vundo.K, might redirect certain URLs to others of their own choosing, including search engines such as webvolta.ru. They can also disable pop-ups from certain advertising-related or advertising-supported sites when you visit them, such as the following:

  • ads.180solutions.com
  • ads.doubleclick.net
  • ads1.revenue.net
  • ads2.revenue.net
  • banners.pennyweb.com
  • images.trafficmp.com
  • search.ebay.com
  • web.ask.com
  • www2.yesadvertising.com
  • yahoo.com
  • z1.adserver.com

Win32/Vundo also disables pop-ups if a targeted URL contains mil or gov in the domain.

Sends information to a remote server

Variants of the family might gather and send information from your PC to a remote server. We have observed the following variants displaying this behavior:

We have seen the variants sending the following information:

  • Information about Outlook Express accounts such as name, mailing address, email address and phone number
  • Information gathered from the registry subkey HKLM\Software\Microsoft\Internet Account Manager\Accounts
  • POP3 and SMTP user names from Outlook Express 
  • Registered owner of Windows
  • Operating system version/build number
  • Network adapter information, including:
    • Adapter name
    • Description
    • Address
    • Current IP address
    • IP address list
    • Gateway list
    • DHCP server
    • Primary Wins server
    • Secondary Wins server
  • MAC address of your computer
  • Keyboard layout
  • Time when Win32/Vundo was installed on your computer
  • A log of Win32/Vundo crashes
  • Volume serial number

For example, we have observed TrojanDownloader:Win32/Vundo.J sending information to the following servers:

  • 91.220.35.154
  • 91.233.89.106
  • 91.233.89.59
  • clickbeta.ru
  • clickclans.ru
  • clickstano.com
  • debijonda.com
  • degoog1etag.com
  • denadb.com
  • denareclick.com
  • dentagod.com
  • ferimonra.com
  • fescheck.com
  • flersomstk.com
  • foradns.com
  • getavodes.com
  • getinball.com
  • getintsu.com
  • gleospond.com
  • instrango.com
  • inzavora.com
  • jestimana.com
  • kndericond.com
  • kndeszip.com
  • knockdast.com
  • knriseserf.com
  • liteworns.com
  • netrovad.com
  • nshouse1.com
  • nsknock.com
  • odobvare.com
  • recondamun.com
  • recondastan.com
  • recondoin.com
  • tegimode.com
  • terrans.su
  • testisto.com
  • theloamva.com
  • tryangets.com
  • tryatdns.com
  • vengibit.com
  • veriostk.com
  • veroconma.com
  • vornedix.com

Additional information

In the wild, we have observed variants of Win32/Vundo bundled with rogue security products, for example, it has been observed being bundled with Evidence Eraser Pro, which is distributed by Win32/Virtumonde.

Some variants of Win32/Vundo, such as Trojan:Win32/Vundo.KO and Trojan:Win32/Vundo.gen!AJ, are dropped by variants of the Win32/Prolaco family, such as Worm:Win32/Prolaco.gen!C, which are themselves dropped by variants of Virus:Win32/Prolaco, such as Virus:Win32/Prolaco.AW, Virus:Win32/Prolaco.AP and Virus:Win32/Prolaco.AR.

Variants of the family have also been observed using encryption techniques in order to obfuscate their communication with remote sites, including Trojan:Win32/Vundo.AX, Trojan:Win32/Vundo.BH, and Trojan:Win32/Vundo.FZ.

The family may create the following registry entries to store data or use machine-specific information to compute where to store data on your PC:

Some Win32/Vundo variants may use a list of hard-coded registry keys, such as the following to store data on your PC:

  • HKLM\SOFTWARE\Microsoft\aldd
  • HKLM\SOFTWARE\Microsoft\SysUpd

Other variants, such as Trojan:Win32/Vundo, TrojanDropper:Win32/Vundo.R, TrojanDownloader:Win32/Vundo, and Trojan:Win32/Vundo.gen!CD, may aggregate your PC's system disk volume serial number and folder creation date and time to hash and generate a string which will be used as the name of the registry key into which they store data.

The stored data may be a malicious executable component of Win32/Vundo that is also uniquely encrypted using the generated string and RC4 or TEA encryption algorithms.

The Win32/Vundo family is closely associated with the Win32/Virtumonde and Win32/Conhook families, which together may install other variants of each other.

Analysis by Jaime Wong and Jireh Sanico


Symptoms

The following could indicate that you have this threat on your PC:

  • The appearance of advertisements other than what you normally see, particularly pop-ups that promote the following rogue security sites:
    • antivirussecuritypro.com
    • drivecleaner.com
    • sysprotect.com
    • systemdoctor.com
    • winantivirus.com
    • winantiviruspro.com
  • Your existing security and antispyware programs stop working, including:
    • Ad-Aware
    • Giant/Microsoft antispyware
    • McAfee Common Framework
    • Microsoft Malicious Software Removal Tool
    • Spyware Doctor
  • You are redirected away from certain sites
  • The presence of the following registry modifications:
     
    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    Sets value: "AppInit_DLLs"
    With data: "<variant's folder and file name>", for example "<system folder>\<random file name>.dll"
     
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
    Sets value: "<variant's file name without extension>", for example "Netprotocol"
    With data: "<variant's folder and file name>", for example "%APPDATA%\netprotocol.exe"
     
    In subkey: HKLM\SOFTWARE\Classes\CLSID\<unique CLSID that varies with each variant>
    Sets value: "InprocServer32"
    With data: "<location and file name of DLL component>"

Prevention


Alert level: High
This entry was first published on: Feb 27, 2008
This entry was updated on: Oct 07, 2013

This threat is also detected as:
  • Backdoor/Win32.Cidox (AhnLab)
  • TR/Kazy.117219.78 (Avira)
  • Trojan.Vundo.GZS (BitDefender)
  • W32/Downldr2.IZLI (Command)
  • Trojan.Mayachok.18579 (Dr.Web)
  • Win32/Citirevo.AE (ESET)
  • W32/Cidox.ACIO!tr (Fortinet)
  • Virus.Win32.Vundo (Ikarus)
  • Trojan.Win32.Cidox.acio (Kaspersky)
  • Vundo (McAfee)
  • RDN/Downloader.a!bm (McAfee)
  • Vundo.gen18 (Norman)
  • Troj/Mdrop-ETG (Sophos)
  • Trojan.Vundo (Symantec)
  • TROJ_CIDOX.DH (Trend Micro)