Home / malwarePDF  

Trojan:W32/Vundo.HD


First posted on 16 January 2009.
Source: SecurityHome

Aliases :

There are no other names known for Trojan:W32/Vundo.HD.

Explanation :

A trojan, or trojan horse, is a seemingly legitimate program which secretly performs other, usually malicious, functions. It is usually user-initiated and does not replicate.

right]Vundo.HD is a trojan that displays pop-up advertisements. The adware connects to a server and queries for advertisements to display.

Installation

The first time a system is infected, the trojan creates the following files:

  • [userprofile]Documents and SettingsLocal SettingsTempmousehook.dll
  • [userprofile]Documents and SettingsLocal SettingsTemp
    tdll64.dll
  • [windir]system32win32hlp.cnf
  • [windir]system32dllcacheuserinit.exe

where [userprofile] is typically "C:Documents and settings" and [windir] is "c:windows".

The file ntdll64.dll is an LSP hijack component that works by inserting itself into the LSP stack and hijacking all winsock2 traffic going to and out of a machine.

The files [windir]system32userinit.exe and [windir]system32dllcacheuserinit.exe are known Windows files. They are both overwritten by the trojan.

In addition, the trojan modifies the following file:

  • [windir]system32userinit.exe

The trojan uses several techniques to actively prevent the user from removing its files from the system. Even if the user does successfully remove the files in question, the trojan can restore them by using a Windows mechanism called the Windows File Protection (WFP). More information on this mechanism is available from Microsoft at http://support.microsoft.com/kb/236995.

Notes

If the user attempts to remove the file ntdll64.dll without restoring the LSP stack, the action will break all network connectivity from within the machine. Users are advised not to manually delete this file; instead, use F-Secure products to perform this operation.

Last update 16 January 2009

 

TOP