Trojan:Win32/Vundo.gen!C is a generic detection for a multi-component family of programs that deliver 'out of context' pop-up advertisements to the computer on which they are installed and may download and execute arbitrary files. Win32/Vundo.gen!C may exist on a computer as a dynamic link library (DLL) or as an executable. Some variants function as Browser Helper Objects (BHOs). It may also use defensive methods to make itself difficult to remove from the affected machine.
Installation
Trojan:Win32/Vundo.gen!C uses RUNDLL32.EXE to execute the trojan's DLL.
The trojan creates the following mutexes during its installation:
awx_mutant
Local_VMMainMutex
_ConsprMutx
Trojan:Win32/Vundo.gen!C makes the following registry modifications:
Adds value: @
With data: "<Win32/Vundo.gen!C path and filename>"
To subkey: HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32
Adds value: ThreadingModel
With value: "Both"
To subkey: HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32
Adds value: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
To subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Adds value: <Win32/Vundo.gen!C filename without extension>
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Adds value: Asynchronous
With value: dword:00000001
To subkey: ..\Windows NT\CurrentVersion\Winlogon\<Win32/Vundo.gen!C filename without extension>
Adds value: DllName
With value: <Win32/Vundo.gen!C filename>
To subkey: ..\Windows NT\CurrentVersion\Winlogon\<Win32/Vundo.gen!C filename without extension>
Adds value: Impersonate
With value: dword:00000000
To subkey: ..\Windows NT\CurrentVersion\Winlogon\<Win32/Vundo.gen!C filename without extension>
Adds value: Logon
With value: "Logon"
To subkey: ..\Windows NT\CurrentVersion\Winlogon\<Win32/Vundo.gen!C filename without extension>
Adds value: Logoff
With value: "Logoff"
To subkey: ..\Windows NT\CurrentVersion\Winlogon\<Win32/Vundo.gen!C filename without extension>
Trojan:Win32/Vundo.gen!C injects itself to the following processes:
WINLOGON.EXE
EXPLORER.EXE
Payload
Downloads and Executes Arbitrary Files
This trojan injects its code into winlogon.exe and explorer.exe running processes, and creates remote threads in each. Win32/Vundo may connect to remote hosts using HTTP. This trojan may attempt to download additional malware onto the infected computer.
Terminates Processes
Vundo may terminate the processes "AD-AWARE.EXE" or "GCASSERVALERT.EXE" if they are running in memory.
Analysis by Francis Allan Tan Seng