Threat behavior
Trojan:Win32/Vundo.KA is a trojan that injects itself into running processes to avoid detection. It connects to a remote server to send information about the infected computer and to possibly download and execute other files. It also terminates or modifies certain processes that may be related to antispyware programs.
Installation
Upon execution, Trojan:Win32/Vundo.KA checks if it is loaded by any of the following processes:
- explorer.exe
- rundll32.exe
- ad-aware.exe
- winlogon.exe
It may create a registry entry under the following key to ensure that it automatically executes when the system starts:
HKLM\software\microsoft\windows\currentversion\explorer\shellexecutehooks
It may create a mutex to ensure that only one instance of itself is running at any given time. The mutex may have any of the following names:
- VMMainMutex
- VMProtectionMutex
- VCMMTX
- awx_mutant
- _ConsprMutex
Payload
Modifies running processes
Trojan:Win32/Vundo.KA may search for and inject code into the process "ad-aware.exe". It also attempts to terminate any running process named "gcasservalert.exe". Both of these processes are related to antispyware programs.
Connects to a remote server
Trojan:Win32/Vundo.KA attempts to connect to a remote server, possibly to download and execute other components and to send information (such as the operating system and what antivirus programs are installed) about the infected computer back to a remote attacker.
The server it attempts to connect to may be any of the following:
- 82.98.235.70
- 65.243.103.80
Analysis by Andrei Florin Saygo
Prevention
