Virus:TR/Vundo.AH
Date discovered:05/03/2007
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:No
File size:~282.212 Bytes
VDF version:6.37.01.191
IVDF version:6.37.01.197 - Monday, March 5, 2007

 General Method of propagation:
   • No own spreading routine


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Registry modification
   • Steals information
   • Third party control

 Files The following files are created:

– Non malicious files:
   • %malware execution directory%\%random character string%.tmp
   • %malware execution directory%\%random character string%.ini

 Registry It registers a browser helper object (BHO) by adding the following key:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
   • Browser Helper Objects\{%generated CLSID%}]



The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   %malware dll%]
   • Asynchronous = dword:00000001
   • DllName = %malware execution directory%\%malware dll%
   • Impersonate = dword:00000000
   • Startup = SysLogon
   • Logoff = SysLogoff

– [HKCR\CLSID\{%generated CLSID%}]
– [HKCR\CLSID\{%generated CLSID%}\InprocServer32]
   • @ = %malware execution directory%\%malware dll%
   • ThreadingModel = Both

 Backdoor Contact server:
The following:
   • http://whitesc**********

As a result it may send information and remote control could be provided.

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Cristian Dobre on Monday, March 19, 2007
Description updated by Andrei Gherman on Monday, March 19, 2007

Back . . . .