Virus:TR/Vundo.NV
Date discovered:16/12/2008
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:No
IVDF version:7.01.00.238 - Tuesday, December 16, 2008

 General Method of propagation:
   • No own spreading routine


Alias:
   •  Grisoft: Vundo.CL


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Drops files
   • Registry modification
   • Third party control

 Files The following files are created:

– Non malicious files:
   • %malware execution directory%\%random character string%.ini
   • %malware execution directory%\%random character string%.ini2




It tries to download some files:

– The location is the following:
   • http://85.17.166.232/**********/index.dll
It is saved on the local hard drive under: %TEMPDIR%\%random character string%.dll Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Vundo.NU


– The location is the following:
   • http://89.188.16.46/**********/zc113432.dll
It is saved on the local hard drive under: %TEMPDIR%\%random character string%.dll Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Vundo.NT

 Registry It registers a browser helper object (BHO) by adding the following key:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{2CA510D8-90CD-4120-AB99-F3B9A5E4F43D}]


The following registry keys are added:

– [HKCR\CLSID\{2CA510D8-90CD-4120-AB99-F3B9A5E4F43D}\InprocServer32]
   • @="%malware execution directory%\\%malware dll%"
   • "ThreadingModel"="Both"

– [HKLM\SOFTWARE\Microsoft\%hex number%]
   • "Version"="%internet resources used by malware%"

 Injection – It injects itself into a process.

    Process name:
   • explorer.exe


 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andreas Feuerstein on Tuesday, December 16, 2008
Description updated by Andreas Feuerstein on Tuesday, December 16, 2008

Back . . . .