Win32/Vundo is a multiple-component family of programs that deliver 'out of context' pop-up advertisements. They may also download and execute arbitrary files.
Installation
Win32/Vundo is often distributed as a DLL file and installed on an affected machine as a Browser Helper Object (BHO) without a user's consent. This family uses advanced defensive and stealth techniques to escape detection and to hinder removal.
In addition, the following registry keys may be created by Vundo.BB:
HKLM\Software\Microsoft\affri
HKLM\Software\Microsoft\affltid
HKLM\Software\Microsoft\aoprndtws
HKLM\Software\Microsoft\rdfa
Payload
Displays Pop-ups
Similar to previous variants, Win32/Vundo.BB may display pop-up advertisements, both visible and hidden, on the infected host. It employs a multi-threaded approach to prevent removal and ensure advertisements are delivered without interruption. This variant generates ads from the host "tresni.net".
Sends Information to Remote Server
Win32/Vundo.BB may gather and send the following information from the affected machine to a remote server.
Modifies Browser Behavior
Vundo may redirect URLs entered by the user to URLs of the program's choice.
Also, when particular URLs are visited by an affected user, Vundo may disable the display of pop-ups. Presumably this is an anti-competitive measure, as the list of targeted URLs contains a number of popular search engines and domain names associated with ad-servers, for example (not the full list):
search.yahoo.com
search.msn.com
ad.searchsquire.com
images.trafficmp.com
z1.adserver.com
ads1.revenue.net
ad.doubleclick.net
paypopup.com
ads.180solutions.com
Downloads and Executes Arbitrary Files
Win32/Vundo.BB may connect to the remote host "tamotua.com" to get updates or additional components.
Additional Information
This variant of Vundo is packed with a modified version of UPX. Also, unlike other variants of this large family, Win32/Vundo.BB does not use file time and date stamp.
Analysis by Cristian Craioveanu
