Submission Summary:

What's been foundSeverity Level
Threat characteristics of Vundo (aka VirtuMonde/VirtuMundo), a trojan horse that cause popups and advertises rogue antispyware programs. Vundo can be installed by visiting a Web site link contained in a spammed email. It is known to create a DLL file in the Windows system32 directory and inject it into system processes winlogon.exe and explorer.exe.
Downloads/requests other files from Internet.
Registers a Winlogon notification package so that the installed module is loaded into the address space of winlogon.exe.
Registers a 32-bit in-process server DLL.
Contains characteristics of an identified security risk.

 

Technical Details:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

 

Possible Security Risk

Security RiskDescription
Trojan.Virtumonde Virtumonde modifies the Windows Internet connection mechanism and display various pop-up advertisements.
Rootkit.TDSS Rootkit.TDSS can hide the presence of any process on the infected machine in order to perform malicious actions without users knowledge

Threat CategoryDescription
A code with the rootkit-specific techniques designed to hide the software presence in the system
A program that downloads files to the local computer that may represent security risk

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %Temp%\wvUoNDwu.bat 111 bytes MD5: 0x2047D91825EBD823DB5CB25DD6E61898
SHA-1: 0x9A5E5DAF8848E4D0D511C8C346866B4E0731D160
(not available)
2 %System%\drivers\senekanselwkpp.sys 67,584 bytes MD5: 0x44ED732E8B2A6D4E06D6C256AD6FD20D
SHA-1: 0xB6BCD14F563432C9F43B6CB3E8E28963A0BCFAF7
Rootkit.Win32.TDSS.phm [Kaspersky Lab]
Mal/TDSS-B [Sophos]
Trojan.Win32.Monderc [Ikarus]
3 %System%\ljJBttRJ.dll 46,592 bytes MD5: 0x377C66D2F85D5715F797B418FB6791CB
SHA-1: 0x92DFA620E2B3BA3FF507FDF7720BBD88F90E0C86
Vundo.gen.y [McAfee]
Virus.Trojan.Win32.Monderb [Ikarus]
packed with UPX [Kaspersky Lab]
4 %System%\readme.bat 44 bytes MD5: 0x6CFD43BD78E8069C684DA5FB312D0080
SHA-1: 0xFC92A9565A62982B1F5E4A0B001E2ADEC2F1714B
(not available)
5 [file and pathname of the sample #1] 318,472 bytes MD5: 0x55C80A5760969CFD69674FACDBE27634
SHA-1: 0x1E492222C44C8C71B304E937CCBF03F6CC558782
Downloader [Symantec]
Trojan.Retapu [Ikarus]
6 %System%\senekaplnkerrf.dat 3,067 bytes MD5: 0x04FFEF7B52AB96E0D46E7DC4CBDE7FCD
SHA-1: 0xDF438DB5BD7B229772D2FD815DCA63A03BFF0FAD
(not available)
7 %System%\senekattatnktu.dll 14,336 bytes MD5: 0xC42AC7239C4E5E5E81D2F829ED7D89D7
SHA-1: 0x54FEA787A8717FD0394BA0AF45EDED6D809CB9B8
Mal/EncPk-GU [Sophos]
Trojan.TDss [Ikarus]
8 %System%\senekauxxyymfl.dll 49,152 bytes MD5: 0xF4C627A4F0DB738A4B7E2502C7A6D1E6
SHA-1: 0xF32689278BC2C34814AE2041649DD7B0D4550381
Mal/EncPk-GU [Sophos]
Trojan.TDss [Ikarus]
9 %System%\senekaybaqhxvm.dll 15,872 bytes MD5: 0x59C07C9E38795DD60DF1A48B879ADE4E
SHA-1: 0x2AE4539691BB01E846CB218ECB85897AE2611D2B
Mal/EncPk-GU [Sophos]
10 %System%\serial.exe 10,240 bytes MD5: 0x32B077C1635BCDBAA3AE5B4F6BCA3A5C
SHA-1: 0xE88E01976125B8CC45C73D76A41914D5BAF8CC7C
Trojan.Spammer [Ikarus]
packed with PE_Patch.UPX [Kaspersky Lab]
11 %System%\setup.exe 38,480 bytes MD5: 0x01178E113C52E6C27B313C9C6310D6D7
SHA-1: 0x384A54CB963B6775D6CB214F5B29DDC14A5F88E7
Downloader [Symantec]
Trojan.Retapu [Ikarus]
packed with PE_Patch.UPX [Kaspersky Lab]

 

Memory Modifications

Process NameProcess FilenameMain Module Size
serial.exe%System%\serial.exe184,320 bytes
[filename of the sample #1][file and pathname of the sample #1]135,168 bytes
keygen.exe%System%\keygen.exe118,784 bytes
readme.exe%System%\readme.exe98,304 bytes

Process NameProcess FilenameAllocated Size
svchost.exe%System%\svchost.exe16,384 bytes
svchost.exe%System%\svchost.exe16,384 bytes
svchost.exe%System%\svchost.exe32,768 bytes

Module NameModule FilenameAddress Space Details
ljJBttRJ.dll%System%\ljJBttRJ.dllProcess name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1A00000 - 0x1A1A000

Driver NameDriver Filename
senekanselwkpp.sys%System%\drivers\senekanselwkpp.sys

 

Registry Modifications

 

Other details

Russian Federation

Server NameServer PortConnect as UserConnection Password
78.26.144.21080(null)(null)
directitfast.com80(null)(null)
onseneka.net80(null)(null)
onseneka.com80(null)(null)

URL to be downloadedFilename for the downloaded bits
http://childhe.com/pas/apstpldr.dll.html?affid=154350&uid=&guid=5D3D0DD0B6794134A50A464B295A0730%System%\ssqRHBRl.dll

 

 

Downloaded File Summary:

What's been foundSeverity Level
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Security RiskDescription
Trojan.Virtumonde Virtumonde modifies the Windows Internet connection mechanism and display various pop-up advertisements.

Threat CategoryDescription
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %Temp%\tmp3.exe 125 bytes MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415
SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41
(not available)
2 %Temp%\tmp3.tmp 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
(not available)
3 [file and pathname of the sample #1] 48,128 bytes MD5: 0x4A56334F3F65D45D90AA15C1BD2F3484
SHA-1: 0x9DC0C1484500C73C5B39EA589532BD4E4833F7C0
Trojan.Virtumonde [PCTools]
Trojan.Vundo [Symantec]
Trojan.Win32.Monder.atxg [Kaspersky Lab]
Vundo [McAfee]
Troj/Virtum-Gen [Sophos]
Trojan.Win32.Monder [Ikarus]
4 %Windir%\Tasks\vykikgdj.job 322 bytes MD5: 0xED6861E780F8B14070E33209363C1AC7
SHA-1: 0x933DC842F5638CA7E5392D24C56E17A540892EFE
(not available)

 

Memory Modifications

Process NameProcess FilenameMain Module Size
[generic host process][generic host process filename]20,480 bytes

Module NameModule FilenameAddress Space Details
[filename of the sample #1][file and pathname of the sample #1]Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0xB10000 - 0xB31000

 

Registry Modifications

 

Other details

Server NameServer PortConnect as UserConnection Password
childhe.com80(null)(null)

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014 ThreatExpert. All rights reserved.