Trojan:W32/Vundo.HD

Classification

Category :

Malware

Type :

Trojan

Aliases :

Trojan:W32/Vundo.HD, trojan.win32.agent.bbko, trojan.win32.zhelatin.ain, Fakeinit (Microsoft), dx trojan (McAfee)

Summary

Vundo.HD is a trojan that displays pop-up advertisements. The adware connects to a server and queries for advertisements to display.

Removal

Manual action

Disinfection of the Vundo.HD trojan should be performed as follows:

  • Update to the latest virus definitions.
  • Perform a "Quick spyware scan".
  • Restart all disinfected computers.
  • Delete the following files:
    • \Documents and Settings\%username%\Local Settings\Temp\ntdll64.dll
    • %windir%\system32\dllcache\userinit.exe
  • Restore the file %windir%\system32\userinit.exe from a trusted backup source.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Installation

The first time a system is infected, the trojan creates the following files:

  • \Documents and Settings\%username%\Local Settings\Temp\mousehook.dll
  • \Documents and Settings\%username%\Local Settings\Temp\ntdll64.dll
  • %windir%\system32\win32hlp.cnf
  • %windir%\system32\dllcache\userinit.exe

Note: %username% represents the user profile folder under "c:\Documents and Settings\" and %windir% represents what is typically "C:\WINDOWS\".The file ntdll64.dll is an LSP hijack component that works by inserting itself into the LSP stack and hijacking all winsock2 traffic going to and out of a machine.The files %windir%\system32\userinit.exe and %windir%\system32\dllcache\userinit.exe are known Windows files. They are both overwritten by the trojan.In addition, the trojan modifies the following file:

  • %windir%\system32\userinit.exe

The trojan uses several techniques to actively prevent the user from removing its files from the system. Even if the user does successfully remove the files in question, the trojan can restore them by using a Windows mechanism called the Windows File Protection (WFP). More information on this mechanism is available from Microsoft at http://support.microsoft.com/kb/236995.

Notes

If the user attempts to remove the file ntdll64.dll without restoring the LSP stack, the action will break all network connectivity from within the machine. Users are advised not to manually delete this file; instead, use F-Secure products to perform this operation.