Home / malware Trojan.Vundo.EWZ
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Vundo.EWZ is also known as Trojan.Win32.Monder, Trojan.Virtumond.
Explanation :
The vundo trojan is usually a dll with a random name located in system32 directory. The length of the file name is usually 5 to 7 characters (depending on the version).
The malware usually consists of 6 threads named Main thread, Protection thread, Registry Thread, File thread, IEEvents thread, Stop and Recover thread. The malware has the capability of writing informations about each of these threads in a log file (even though most of the versions don’t do that). The malware performs different actions depending on the place where it runs. If it runs from lsass.exe or winlogon.exe it starts the protection mutex. If it runs from Internet Explorer it starts the IEEvents thread.
The malware usually shows popups (about 100 per day) telling users that they are infected and asking them to download rogue antispyware programs like (SysProtect,Storage Protect and WinFixer)
To test that the trojan is allready installed on the victim’s computer, Vundo tests the existence of a mutex called VMProtectionMutex.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
It searches some of the most known antispyware programs and tries to inject in them. For example:
it searches awx_mutant mutex and if it finds it tries to inject in ad-aware.exe (Lavasoft ad-aware)it searches ssw_mutant mutex and if it finds it tries to inject into wrsssdk.exe(Webroot Spysweeper’s)it searches hjt_mutant mutex and if it finds it tries to inject into hijackthis.exe. Because of this many hijackthis logs do not show the existence of the vundo trojan.
To show popups the malware acts as a browser object that introduces inside some of the pages visited a IFRAME tag pointing to a url with the address 127.0.0.1 that immediately loads some kind of comercial advertising. To avoid some kind of HTTP activity firewall signature it does not use the browser to get the content. It has another component that acts as a http server inside the host machine; this component communicates to a malware server through a TCP/IP connection using a proprietary communication protocol, thus getting the actual content of the advertisementLast update 21 November 2011