Trojan.Vundo.EWZ
Increase of network activity. Some popups window will appear in Internet Explorer.
The vundo trojan is usually a dll with a random name located in system32 directory. The length of the file name is usually 5 to 7 characters (depending on the version).
The malware usually consists of 6 threads named Main thread, Protection thread, Registry Thread, File thread, IEEvents thread, Stop and Recover thread. The malware has the capability of writing informations about each of these threads in a log file (even though most of the versions don’t do that). The malware performs different actions depending on the place where it runs. If it runs from lsass.exe or winlogon.exe it starts the protection mutex. If it runs from Internet Explorer it starts the IEEvents thread.
The malware usually shows popups (about 100 per day) telling users that they are infected and asking them to download rogue antispyware programs like (SysProtect,Storage Protect and WinFixer)
To test that the trojan is allready installed on the victim’s computer, Vundo tests the existence of a mutex called VMProtectionMutex.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
It searches some of the most known antispyware programs and tries to inject in them. For example:
To show popups the malware acts as a browser object that introduces inside some of the pages visited a IFRAME tag pointing to a url with the address 127.0.0.1 that immediately loads some kind of comercial advertising. To avoid some kind of HTTP activity firewall signature it does not use the browser to get the content. It has another component that acts as a http server inside the host machine; this component communicates to a malware server through a TCP/IP connection using a proprietary communication protocol, thus getting the actual content of the advertisement
SHARE
THIS ON