Abs.Net web Page

Share Your Knowledge, Build your Network..

Vundo is coming, are you well defended?

Posted by Hari Saryono on 20 February 2009


A new downloader virus were found in Feb 4, 2009. They call it :

  • Trojan.Awax [Symantec]
  • Trojan.Virtumod.1465 [Doctor Web]
  • Trojan:Win32/Vundo.JI [Microsoft]
  • W32/Zhelatin.O.gen!Eldorado [F-Secure]
  • Win32/Adware.Virtumonde [Nod32]

This thread is classified as low thread, but of course it’s annoying.

Characteristics –

When executed, this downloader trojan drops the following files:

  • %System%/ljjdsllb.dll [Detected as Vundo]
  • %Temp%/ssqpmjde.bat [Batch file to delete the original dropper]

It then connects to the following website on TCP port 80:

The downloaded file apstpldr.dll [Detected as Vundo] is saved to the %System% folder as ssqpmjde.dll

The downloaded and dropped files inject themselves into other running processes, and could download more malware onto the victim’s machine and is beyond the scope of this description.

Since the malicious files are injected into common running processes like iexplore.exe [Internet Explorer], software based firewalls might not alert about outgoing connections made by the malware.

Note:

  • %Temp% refers to the temporary folder. By default, this is C:/Documents and Settings/[UserName]/Local Settings/Temp/(Windows NT/2000/XP)
  • %System% refers to the System folder. By default, this is C:/Windows/System (Windows 95/98/Me), C:/Winnt/System32 (Windows NT/2000), or C:/Windows/System32 (Windows XP)

How to Removed it manually?

1. Open your total Commander

  • c:/windows/task/. Remove suspicious task in it (by default, there’s no task there, so if you delete any task here, your system won’t affected)
  • Make sure your display setting is showing hidden file
  • Click date modified, and find suspicious file with same date modified as an example below: (it’s name is random)

2. Download the autoruns here. Unpack only autoruns.exe and execute

Run autoruns, and find and delete registry entry as follows:

3. Delete the following file

  • %System%/ljjdsllb.dll
  • %Temp%/ssqpmjde.bat [Batch file to delete the original dropper]

4. Restart your computer and done.

2 Responses to “Vundo is coming, are you well defended?”

  1. […] the same family as System Guard 2009 and Spyware Guard 2009. This rogue is promoted by the Trojan Vundo infection, which displays fake security alerts and pop-ups that state your computer is infected. […]

  2. […] sending in money to fix a fake vulnerability, has been done before. However, the latest version of Vundo does this and adds a twist. Vundo is "ransomware." It uses polymorphism to mask the […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: