Jump to content
wighty44

Tracking Down the Root Cause: Vundo Var.

Recommended Posts

Until this past September my WIN XP system has been virtually free of virus/adware problems, but over the past two months I've had 6 instances of Vundo variants infect my system and I'm trying to understand two things - what is the most likely infection source, and how do I remove a latent infection trigger...

Although I'm not a "malware hunter" I do have a reasonably sound understanding of computer HW & SW. So these infections were handled by a combination of Avast Pro, Outpost Pro FW, and SAS Pro (lifetime registration). However I'm frustrated not knowing how these Vundo variants (Fixed, EC, TDay, WinMM, Qheader, Broad, Gen, and SR) are getting into my system. I don't visit porn sites, I'm not using online file (or Media) sharing, and I'm not an online gamer. Any thoughts??

My last infection (twice today) was cleaned-out by SASPrto, but it left something behind and did not clean out a registry key in HKLM/SW/MS/Win/CurrVer/Run. While I was able to identify and remove the registry key, I have not been successful in finding the root cause of a OS process that I can see trying to load a DLL via SVCHOST & RUNDLL32 via Process explorer. Just now I checked and two RUNDLL processes are trying to load jemitawa.dll & ginuzefa.dll (two of the 6 files identified as VUNDO variants by SASPro earlier today).

It seems to me that possibly my SVHOST file may be a trojan as these file names have to be coded into some file on my system for them to be written into a rundll command line that seems to pop-up at will. So I'd like to know how to test this notion and if my SVHOST is a trojan, then perhaps the folks at SASPro might need to know that the program hasn't flagged the file as a problem.

Share this post


Link to post
Share on other sites

Further investigation revealed that my SVCHOST file was not the culprit. HijackThis found several registry entries that SASPro missed even though they referenced file names laready identified by SASPro in the complete system scan as Vundo files.

The registry keys involved were:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

[HKEY_CLASSES_ROOT\CLSID\{8364c871-288e-4437-8d9d-d3781cd05a73}]

[HKEY_CLASSES_ROOT\CLSID\{f3a8b122-4fe2-4c5e-80ec-484b49bcad79}]

[HKEY_CLASSES_ROOT\CLSID\{675f77a2-36a0-4903-8947-8d1cd4dacd9d}]

The last 3 keys used InprocServer32 as the means to load the Vundo files that were observed in the Rundll32 command line listed in Process Explorer scan under the svchost -k netsvcs listing.

It seems SASPro needs some tweaking to identify these keys. Prehaps these keys existed from the time of the first infection and when some condition was satisfied the infection was re-established...

Share this post


Link to post
Share on other sites

Later, I found 2 tasks added to the Task Manager, set to run hourly, that called rundll32 to load Vundo files (jemitawa & dadeyisi) added to the WINDOWS/SYSTEM32 folder by the malicious software.

In addition, I was able to identify the souce of this infection using the Windows Event Viewer. If I've interpreted the information correctly it was embedded in a Flash file from ectiver.net. I've added that site to my blocked sites list.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...