Hi essexboy,
Yes it is an ongoing battle against the vundo monster, see the posting in our special corner re: win32.bho-hd with vundo characteristics, there I posted the latest file traces (dated Jan 3rd 2008).
I also expect there are certain dlls in Firefox that can add this to spread, these were reported where certain similar spyware was concerned (Adware). The glitch in Windows that causes that the windows protection is slowly deminishing while the machine is just connected to the Internet is hard to avoid. Best policy at the moment, update Sun Java and remove older versions, use NoScript, and surf with normal user rights and not with full admin rights, in the latest versions a driver dll is loaded and a BHO created, also initial executable names are being reverted. Well they use all the tricks in the malware book, and it is effective...
An example of a vundo infection:
Side effects:
• Drops a file
• Drops a malicious file
• Third party control
Files It deletes the initially executed copy of itself.
The following files are created:
– %SYSDIR%\%seven-digit random character string%.dll Further investigation pointed out that this file is malware, too. Detected as: ADSPY/Virtumonde.B
– %TEMPDIR%\removalfile.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.
Registry The following registry keys are added:
– [HKCR\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32]
• @="%SYSDIR%\%seven-digit random character string%.dll"
• "ThreadingModel"="Both"
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
ShellExecuteHooks]
• "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=""
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
vtutrrq]
• "Asynchronous"=dword:00000001
• "DllName"="%seven-digit random character string%"
• "Impersonate"=dword:00000000
• "Logon"="Logon"
• "Logoff"="Logoff"
Backdoor Contact server:
All of the following:
• http: //82.98.235.63/cgi-bin/check/**********
• http: //85.12.25.**********
As a result it may send information and remote control could be provided.
Sends information about:
• Current malware status
Remote control capabilities:
• Download file
Injection – It injects the following file into a process: %SYSDIR%\%seven-digit random character string%.dll
All of the following processes:
• explorer.exe
• WINLOGON.EXE
Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.
Hides the following:
– Its own files
polonus