Virus:TR/Spy.Vundo.AF
Date discovered:23/03/2007
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:No
File size:281.652 Bytes
VDF version:6.37.01.147
IVDF version:6.37.01.154 - Friday, February 23, 2007

 General Method of propagation:
   • No own spreading routine


Alias:
   •  Grisoft: Downloader.Zlob.FC


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Registry modification
   • Steals information
   • Third party control

 Files The following files are created:

– Temporary files that might be deleted afterwards:
   • %malware execution directory%\%random character string%.tmp
   • %malware execution directory%\%random character string%.ini

 Registry It registers a browser helper object (BHO) by adding the following key:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{%generated CLSID%}]


The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   %malware dll%]
   • Asynchronous = dword:00000001
   • DllName = %malware execution directory%\%malware dll%
   • Impersonate = dword:00000000
   • Startup = SysLogon
   • Logoff = SysLogoff

– [HKCR\CLSID\{%generated CLSID%}]

– [HKCR\CLSID\{%generated CLSID%}\InprocServer32]
   • @ = %malware execution directory%\%malware dll%
   • ThreadingModel = Both

 Backdoor Contact server:
The following:
   • http://white**********

As a result it may send information and remote control could be provided.

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Gherman on Tuesday, March 13, 2007
Description updated by Andrei Gherman on Tuesday, March 13, 2007

Back . . . .