Vundo.HD is a trojan that displays pop-up advertisements. The adware connects to a server and queries for advertisements to display.
Disinfection of the Vundo.HD trojan should be performed as follows:
The first time a system is infected, the trojan creates the following files:
Note: %username% represents the user profile folder under "c:\Documents and Settings\" and %windir% represents what is typically "C:\WINDOWS\".The file ntdll64.dll is an LSP hijack component that works by inserting itself into the LSP stack and hijacking all winsock2 traffic going to and out of a machine.The files %windir%\system32\userinit.exe and %windir%\system32\dllcache\userinit.exe are known Windows files. They are both overwritten by the trojan.In addition, the trojan modifies the following file:
The trojan uses several techniques to actively prevent the user from removing its files from the system. Even if the user does successfully remove the files in question, the trojan can restore them by using a Windows mechanism called the Windows File Protection (WFP). More information on this mechanism is available from Microsoft at http://support.microsoft.com/kb/236995.
If the user attempts to remove the file ntdll64.dll without restoring the LSP stack, the action will break all network connectivity from within the machine. Users are advised not to manually delete this file; instead, use F-Secure products to perform this operation.
Date Created: -
Date Last Modified: -