Trojan:Win32/Vundo is a family of malicious software that consists of executables and dynamic link library (DLL) files that deliver 'out of context' pop-up advertisements on the clients’ machines.
Trojan:Win32/Vundo.AF is a DLL component that installs itself as a Browser Helper Object (BHO), and may show pop-up advertisements on the computers in which it is installed.
Installation
Trojan:Win32/Vundo.AF may be installed by another process, dropper or as a dropped component of a software installation. Win32/Vundo.AF is copied to the Windows system folder as a randomly named DLL. Other non-malicious data files are written to the same folder and may have one of the following file extensions:
.ini
.ini2
.bak1
.bak2
.tmp
The registry is modified to run Win32/Vundo.AF as a BHO and to execute at each Windows start.
Adds value: ff_dsk
With data: <Trojan:Win32/Vundo.AF path and filename>
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
The following registry subkeys may be created:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aldd
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{75EEB236-3AA5-46E7-9843-AE76DEBE37D9}
Other values and data are written to the above subkeys that instruct Windows to execute Win32/Vundo.AF as an Internet browser BHO. When Win32/Vundo.AF runs, it may inject its code into running processes.
Depending on the process that the malware is running within, it may exhibit different behavior. It may mark its presence on the system by creating the following mutex names:
awx_mutant
hjt_mutant
VMMainMutex
VMProtectionMutex
VMUpdateServersEvent
SysUpdIsRunningMutex
SysUpdPopupMutex
SysUpdProtectSynchronizeMutex
Payload
Disables Pop-Ups Within Specific Sites
Win32/Vundo.AF may stores a large list of URLs in a data file. When the user browses any of the listed URLs, pop-ups are not displayed. The list contains popular search engines and the domain names of ad servers, such as in the following examples:
yahoo.com
search.ebay.com
web.ask.com
banners.pennyweb.com
ads2.revenue.net
www2.yesadvertising.com
google.com
search.yahoo.com
search.msn.com
www.aolsearch.com
searchscout.com
Displays Pop-Ups
Win32/Vundo.AF may display pop-up advertisements for some of the sites listed below:
winpopupguard.com
errorsafe.com
winfixer.com
systemdoctor.com
amaena.com
winantispyware.com
virusguard.com
stopguard.com
sysprotect.com
winantispy.com
errorprotector.com
antivirussecuritypro.com
drivecleaner.com
winfirewall.com
winantiviruspro.com
windrivecleaner.com
winantivirus.com
asdf
Sends Machine Specific Data
Win32/Vundo.AF may send reports containing any or all of the following information about the affected computer to a remote server:
Outlook Express E-mail Accounts
Information stored in the registry subkey ..\Software\Microsoft\Internet Account Manager\Accounts
Pop3 and SMTP user names
Registered Organization
Registered Owner
OS version number
Network adapters
IP Addresses
MAC address
Keyboard layout
Installation time
Crash log
Number of Processes
If the user has Administrator rights
Proxy IP address
IE History
IE Cookies
Modifies Internet Settings
Win32/Vundo.AF may modify the stored DNS hosts resolution file commonly located here:
<system folder>\drivers\etc\hosts.
Analysis by Huzefa Mogri
