ALIASES:

Monder, Monderd, Virtum, Monderb

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet

VUNDO is a family of Trojans, adware, and spyware first spotted in 2004. It usually arrives as a bundle of components, downloaded from malicious websites.

VUNDO is multi-component, meaning it has several files working to achieve its purpose - present pop-up advertisements on infected computers. Said advertisements may lead users to fraudulent websites or applications.

VUNDO malware are also capable of downloading other malware files. They commonly arrive on the system as a .DLL file that is installed as a BHO (browser helper object).

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Connects to URLs/IPs, Downloads files

Installation

This Trojan drops the following files:

  • %System%\bb911232-.txt
  • %System%\{Random}.dll
  • %User Temp%\removalfile.bat
  • {malware path}\{malware name}.ini
  • {malware path}\{malware name}.ini2

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CLASSES_ROOT\CLSID\{random CLSID}\
InprocServer32
{default} = "{malware path}\{malware name}.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{random CLSID}\InprocServer32
{default} = "{malware path}\{malware name}.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random name} = "Rundll32.exe {malware path}\{malware name}.dll,s"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random name} = "Rundll32.exe "{malware path}\{malware name}.dll",a"

Other System Modifications

This Trojan adds the following registry keys:

HKEY_CLASSES_ROOT\CLSID\{random CLSID}

HKEY_CLASSES_ROOT\CLSID\{random CLSID}\
InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{random CLSID}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{random CLSID}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
FCOVM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
RemoveRP

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
{random characters}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{random CLSID}

It adds the following registry entries:

HKEY_CLASSES_ROOT\CLSID\{random CLSID}\
InprocServer32
(Default) = "%System%\{random}.dll"

HKEY_CLASSES_ROOT\CLSID\{random CLSID}\
InprocServer32
ThreadingModel = "Both"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{random CLSID}\InprocServer32
ThreadingModel = "Both"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Windows
LoadAppInit_DLLs = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\{Random}
Asynchronous = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\{Random
DllName = "{Random}.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\{Random}
Impersonate = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\{Random}
Logoff = "Logoff"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\{Random}
Logon = "Logon"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
SharedTaskScheduler
{random CLSID} = "jugezatag"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
ShellExecuteHooks
{random CLSID} = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\ShellServiceObjectDelayLoad
{random name} = "{random CLSID}"

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Windows
AppInit_DLLs = "{malware path}\{malware name}.dll"

(Note: The default value data of the said registry entry is {blank}.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv
Start = "4"

(Note: The default value data of the said registry entry is 2.)

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://{BLOCKED}.{BLOCKED}.103.60/go//?cmp=vmtek_update&lid=run&uid={data}&guid={data}
  • http://{BLOCKED}.{BLOCKED}.231.95/main/logo.html?sid={random}
  • http://{BLOCKED}.{BLOCKED}.235.70/443
  • http://{BLOCKED}.{BLOCKED}.115.146/info.png?cmp={data}&rid={data}&affid={data}&mid={data}&revid={data}&uid={uid}&guid={guid}&mrk=1&ver={data}
  • http://{BLOCKED}.{BLOCKED}.166.138/32/32.dll?setid=an2g&affid={data}&uid=&rid=vm571&guid={guid}
  • http://{BLOCKED}.{BLOCKED}.166.138/32/32.dll?setid={data}&affid={data}&uid={data}&rid={data}&guid={guid}
  • http://{BLOCKED}.{BLOCKED}.169.55/i.exe?setid=an2g&affid={data}&uid=&rid=vm571&guid={guid}
  • http://{BLOCKED}.{BLOCKED}.169.55/i.exe?setid={data}&affid={data}&uid=&rid={data}&guid={guid}