Threat behavior
Trojan:Win32/Vundo.gen!V is a generic detection for a multi-component family of programs that deliver 'out of context' pop-up advertisements to the computer on which they are installed and may download and execute arbitrary files. This family uses advanced defensive and stealth techniques to escape detection and to hinder removal.
Installation
Win32/Vundo.gen!V may exist on a computer as a dynamic link library (DLL) or as an executable. Some variants function as Browser Helper Objects (BHOs). When run, Vundo.gen!V drops a .DLL file having a .DAT file extension into the current file folder and runs the dropped file using RUNDLL32.EXE. Next, a copy of Vundo.gen!V is dropped into the temporary folder as the following:
%TEMP%\_a00<random>.exe
Adds value: "A00 <random>.exe"
With data: "%TEMP%\_a00<random>.exe
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
The .DLL creates a remote thread into the process 'services.exe'. The remote process modifies the registry with the following value and data.
Adds value: "Asynchronous"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00 <random>
In the above instances, <random> is a random six or seven character combination of lowercase letters 'a' to 'f' and numbers. The registry is modified to run the dropped copy at each Windows startup.
Additional Information
Analysis by Huzefa Mogri
Prevention
