The vundo trojan is usually a dll with a random name located in system32 directory. The length of the file name is usually 5 to 7 characters (depending on the version).
The malware usually consists of 6 threads named Main thread, Protection thread, Registry Thread, File thread, IEEvents thread, Stop and Recover thread. The malware has the capability of writing informations about each of these threads in a log file (eventhough most of the versions don’t do that). The malware performs different actions depending on the place where it runs. If it runs from lsass.exe or winlogon.exe it starts the protection mutex. If it runs from Internet Explorer it starts the IEEvents thread.
The malware usually shows popups (about 100 per day) telling users that they are infected and asking them to download rogue antispyware programs like (SysProtect,Storage Protect and WinFixer)
To test that the trojan is allready installed on the victim’s computer, Vundo tests the existence of a mutex called VMProtectionMutex.
To start when the computer starts the trojan adds itself to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
It searches some of the most known antispyware programs and tries to inject in them. For example:
it searches awx_mutant mutex and if it finds it tries to inject in ad-aware.exe (Lavasoft ad-aware)
it searches ssw_mutant mutex and if it finds it tries to inject into wrsssdk.exe(Webroot Spysweeper’s)
it searches hjt_mutant mutex and if it finds it tries to inject into hijackthis.exe. Because of this many hijackthis logs do not show the existence of the vundo trojan.
It also injects into Explorer.exe, firefox.exe and mozilla.exe .
Some versions of the Vundo trojan test the existence of the virtual machine VMWare. If it finds this virtual machine the malware will start corupting its stack.
Other protection methods are:
It deletes all restore points from 0 to 1000 and creates a new restore point with the name “Last known good configuration”.
It searches for a window of the SpywareDoctor with the class TfrmSbPrompt and then searches within it for another window that contains two buttons (Yes/NO) and performs a click on the button Yes.
It deletes all the registry keys from PendingFileRenameOperations that refers the the trojan dll.
The sinchronization between threads is performed using mutexes with random name, optained by encrypting the serial number of the first drive.
It collects various informations about the infected computer and sends it to server. For example, it gets:
all ip addresses;
the name of the computer
internet explorer version
to which user and organization is the OS registered
Number of processors
If the user is adminstrator
Proxy address (if the computer is behind a proxy)
It also retrieves informations about the infection:
Last successfull connection
How many times it connected to the server
The path to the infected dll.
It also retrieves informations about the architecture of the computer:
Informations about each fixed drive (name,serial, Total Space, Free Space)
Date of the trojan installation.
The data is added to a http header, crypted and sent to the server. It then retrieves some data from server like the number of popups to show each day (usually 100).