Home / malwarePDF  

Trojan:Win32/Vundo.JC.dll


First posted on 16 March 2009.
Source: SecurityHome

Aliases :

Trojan:Win32/Vundo.JC.dll is also known as Also Known As:Win32/Vundo.BAS (CA), Troj/Virtum-Gen (Sophos), Backdoor.Win32.Agent.tlr (Kaspersky), Vundo (McAfee), Trojan.Awax (Symantec).

Explanation :

Trojan:Win32/Vundo.JC.dll is a detection for the DLL file component of the Vundo family that deliver 'out of context' pop-up advertisements to the computer on which they are installed and may terminate services and processes.

Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).

Trojan:Win32/Vundo.JC.dll is a particular detection for the DLL file component of the Vundo family that deliver 'out of context' pop-up advertisements to the computer on which they are installed and may terminate services and processes.

Installation
Trojan:Win32/Vundo.JC.dll is installed on an affected machine as a Browser Helper Object (BHO) without a user's consent. It arrives as a DLL file that is dropped in the Windows system folder with a random file name. It registers itself as a BHO with a randomly-generated CLSID. Some of the CLSIDs it has been known to use are:

  • {4EF18216-B392-4994-BC7E-89FF5BE4C45A}
  • {493915C6-E232-464B-8F94-1F3E028970D5}
  • {9E91EF7B-6846-45C3-A8AB-67CF7C900783}
    • It also modifies the system registry so that it automatically runs every time Windows starts: Adds value: "<malware file name>"With data "<malware file name>.dll"To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun Adds value: "<malware file name>"With data "<malware file name>.dll"To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce Adds value: "<malware file name>"With data "<malware file name>.dll"To subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify It also injects itself in the following Windows processes:
  • Explorer.exe
  • Winlogon.exe
    • It also creates the mutex awx_mutant to ensure that only one copy of itself is running at any given time.

    Payload
    Terminates ProcessesTrojan:Win32/Vundo.JC.dll may terminate processes containing the following strings, which may be associated with security software:
  • GCASSERVALERT
  • AD-AWARE.EXE
    • Displays Pop-up AdvertisementsTrojan:Win32/Vundo.JC.dll may display advertisements, and may redirect users to the following websites:
  • www.seekseek.com
  • is1.websearch.com
    • Disables ServicesSome samples of Trojan:Win32/Vundo.JC.dll have been known to disable the Windows Automatic Updates service (wuauserv). Avoids DetectionSome samples are also known to detect if the Microsoft Malicious Software Removal Tool (mrt.exe) is running, and terminate itself if so, in an attempt to avoid detection.

    Analysis by Vitaly Zaytsev

    Last update 16 March 2009

     

    TOP

    Malware :

    Family: