Threat behavior
Trojan:Win32/Vundo.gen!AO is a component of
Win32/Vundo - a multiple-component family of programs that deliver 'out of context' pop-up advertisements. They may also download and execute arbitrary files.
Vundo is often distributed as a DLL file and installed on an affected machine as a Browser Helper Object (BHO) without a user's consent. This family uses advanced defensive and stealth techniques to escape detection and to hinder removal.
Installation
Trojan:Win32/Vundo.gen!AO is installed on an affected machine as a Browser Helper Object (BHO) without a user's consent. It arrives as a DLL file that is dropped in the Windows system folder with a randomly generated file name (for example, iifcDTNe.dll).
It may create the following registry entry for the CLSID:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
It registers itself as a BHO and may additionally modify the following registry entry:
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
It may create the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
It also creates the following registry keys and entries so that the dropped trojan copy is installed as a Winlogon notification package:
Adds value: "Asynchronous"
To subkey: HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\<malware file>
Adds value: "DllName"
To subkey: HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\<malware file>
Adds value: "Impersonate"
To subkey: HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\<malware file>
Adds value: "Startup"
To subkey: HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\<malware file>
Adds value: "Logon"
To subkey: HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\<malware file>
Payload
Terminates Process
Trojan:Win32/Vundo.gen!AO may try to terminate a process named GCASSERVALERT. This process may be related to an obsolete product 'Windows Antispyware' (replaced by Windows Defender).
Contacts Remote Sites
Trojan:Win32/Vundo.gen!AO may contact one or more of the following remote sites:
83.149.105.229
85.12.43.75
65.243.103.80
83.149.105.234
childhe.com
griehe.com
Additional Information
Trojan:Win32/Vundo.gen!AO may create the following registry key for its own use:
HKEY_CURRENT_USER\Software\Microsoft\cavok
It may also create also one or more of the following mutexes:
awx_mutant
VCMMTX
_ConsprMutx
Analysis by Andrei Florin Saygo
Prevention
