TR/Vundo.NV - Trojan

See also

Summary

Full description

Statistics

Virus:	TR/Vundo.NV
Date discovered:	16/12/2008
Type:	Trojan
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Low to medium
Static file:	No
IVDF version:	7.01.00.238 - Tue, 16 Dec 2008 09:03 (GMT+1)

General Method of propagation:
   • No own spreading routine

Alias:
   • Grisoft: Vundo.CL

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads malicious files
   • Drops files
   • Registry modification
   • Third party control

Files The following files are created:

– Non malicious files:
   • %malware execution directory%\%random character string%.ini
   • %malware execution directory%\%random character string%.ini2

It tries to download some files:

– The location is the following:
   • http://85.17.166.232/**********/index.dll
It is saved on the local hard drive under: %TEMPDIR%\%random character string%.dll Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Vundo.NU

– The location is the following:
   • http://89.188.16.46/**********/zc113432.dll
It is saved on the local hard drive under: %TEMPDIR%\%random character string%.dll Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Vundo.NT

Registry It registers a browser helper object (BHO) by adding the following key:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{2CA510D8-90CD-4120-AB99-F3B9A5E4F43D}]

The following registry keys are added:

– [HKCR\CLSID\{2CA510D8-90CD-4120-AB99-F3B9A5E4F43D}\InprocServer32]
   • @="%malware execution directory%\\%malware dll%"
   • "ThreadingModel"="Both"

– [HKLM\SOFTWARE\Microsoft\%hex number%]
   • "Version"="%internet resources used by malware%"

Injection – It injects itself into a process.

Process name:
• explorer.exe

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

See a brief description here.

Description inserted by Andreas Feuerstein on Tue, 16 Dec 2008 14:54 (GMT+1)
Description updated by Andreas Feuerstein on Tue, 16 Dec 2008 15:30 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back