Home / malware Trojan:Win32/Vundo.gen!G
First posted on 16 March 2009.
Source: SecurityHomeAliases :
There are no other names known for Trojan:Win32/Vundo.gen!G.
Explanation :
Win32/Vundo is a multiple-component family of programs that deliver 'out of context' pop-up advertisements. They may also download and execute arbitrary files. Vundo is often distributed as a DLL file and installed on an affected machine as a Browser Helper Object (BHO) without a user's consent. This family uses advanced defensive and stealth techniques to escape detection and to hinder removal.
Symptoms
System ChangesThe following system changes may indicate the presence of Win32/Vundo:The display of 'out of context' advertisements, unrelated to web content being viewed by the affected user. Presence of the following registry entries:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftaldd
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSysUpd
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{35F7813A-AF74-4474-B1DC-7EE6FB6C43C6}
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{39D2FC9B-041C-470E-AE72-F8C001247626}
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{52B1DFC7-AAFC-4362-B103-868B0683C697}
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{7BF451AC-2010-4804-B256-DB2F0A8D9EB6}
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{827DC836-DD9F-4A68-A602-5812EB50A834}
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{8DBF02DA-4360-4A7E-BEA1-347B87816327}
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{AF7FCAFB-9FDB-4F5E-BAC6-68BDEE61D6C6}
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{FC148228-87E1-4D00-AC06-58DCAA52A4D1}
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{B8B55274-0F9A-41E5-9067-A3539BD9E860}
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{CBE0D59D-F985-4AC6-8826- FEE957065D42}
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{5AEFF965-B1A9-4675-966A-26C2E812AD51}
HKEY_CLASSES_ROOTMSEvents.MSEvents
HKEY_CLASSES_ROOTMSEvents.MSEvents.1
HKEY_CLASSES_ROOTpsapianalyzer.psapianalyzer.1
HKEY_CLASSES_ROOTpsapianalyzer.psapianalyzer
HKEY_CLASSES_ROOTMFCOptimizeClass.MFCOptimizeClass.1
HKEY_CLASSES_ROOTMFCOptimizeClass.MFCOptimizeClass
HKEY_CLASSES_ROOTRawExecAction.RawExecAction
HKEY_CLASSES_ROOTRawExecAction.RawExecAction.1
HKEY_CLASSES_ROOTiepl.iepl.1
HKEY_CLASSES_ROOTiepl.iepl
HKEY_CLASSES_ROOTATLDistrib.ATLDistrib.1
HKEY_CLASSES_ROOTATLDistrib.ATLDistrib
HKEY_CLASSES_ROOTWTLHelper.WTLHelper
HKEY_CLASSES_ROOTWTLHelper.WTLHelper.1
HKEY_CLASSES_ROOTDosSpecFolder.DosSpecFolder
HKEY_CLASSES_ROOTDosSpecFolder.DosSpecFolder.1
HKEY_CLASSES_ROOTDPCUpdater.DPCUpdater.1
HKEY_CLASSES_ROOTDPCUpdater.DPCUpdater
HKEY_CLASSES_ROOTADOUsefulNet.ADOUsefulNet
HKEY_CLASSES_ROOTADOUsefulNet.ADOUsefulNet.1
HKEY_CLASSES_ROOTInfoDocReader.InfoDocReader
HKEY_CLASSES_ROOTInfoDocReader.InfoDocReader.1
HKEY_CLASSES_ROOTATLEvents.ATLEvents.1
HKEY_CLASSES_ROOTATLEvents.ATLEvents
HKEY_LOCAL_MACHINESOFTWAREClassesMSEvents.MSEvents
HKEY_LOCAL_MACHINESOFTWAREClassesMSEvents.MSEvents.1
HKEY_LOCAL_MACHINESOFTWAREClassespsapianalyzer.psapianalyzer
HKEY_LOCAL_MACHINESOFTWAREClassespsapianalyzer.psapianalyzer.1
HKEY_LOCAL_MACHINESOFTWAREClassesMFCOptimizeClass.MFCOptimizeClass
HKEY_LOCAL_MACHINESOFTWAREClassesMFCOptimizeClass.MFCOptimizeClass.1
HKEY_LOCAL_MACHINESOFTWAREClassesRawExecAction.RawExecAction
HKEY_LOCAL_MACHINESOFTWAREClassesRawExecAction.RawExecAction.1
HKEY_LOCAL_MACHINESOFTWAREClassesiepl.iepl
HKEY_LOCAL_MACHINESOFTWAREClassesiepl.iepl.1
HKEY_LOCAL_MACHINESOFTWAREClassesATLDistrib.ATLDistrib
HKEY_LOCAL_MACHINESOFTWAREClassesATLDistrib.ATLDistrib.1
HKEY_LOCAL_MACHINESOFTWAREClassesWTLHelper.WTLHelper
HKEY_LOCAL_MACHINESOFTWAREClassesWTLHelper.WTLHelper.1
HKEY_LOCAL_MACHINESOFTWAREClassesDosSpecFolder.DosSpecFolder
HKEY_LOCAL_MACHINESOFTWAREClassesDosSpecFolder.DosSpecFolder.1
HKEY_LOCAL_MACHINESOFTWAREClassesDPCUpdater.DPCUpdater
HKEY_LOCAL_MACHINESOFTWAREClassesDPCUpdater.DPCUpdater.1
HKEY_LOCAL_MACHINESOFTWAREClassesADOUsefulNet.ADOUsefulNet
HKEY_LOCAL_MACHINESOFTWAREClassesADOUsefulNet.ADOUsefulNet.1
HKEY_LOCAL_MACHINESOFTWAREClassesInfoDocReader.InfoDocReader
HKEY_LOCAL_MACHINESOFTWAREClassesInfoDocReader.InfoDocReader.1
HKEY_LOCAL_MACHINESOFTWAREClassesATLEvents.ATLEvents
HKEY_LOCAL_MACHINESOFTWAREClassesATLEvents.ATLEvents.1
Win32/Vundo is a multiple-component family of programs that deliver 'out of context' pop-up advertisements. They may also download and execute arbitrary files. Vundo is often distributed as a DLL file and installed on an affected machine as a Browser Helper Object (BHO) without a user's consent. This family uses advanced defensive and stealth techniques to escape detection and to hinder removal. Please see our detailed Win32/Vundo family analysis elsewhere in this encyclopedia for additional information.Last update 16 March 2009