THREAT NAME
Trojan.Vundo.DMA
CLEAN INSTRUCTIONS
1. Go to Start, Run type regedit and press OK.
2. Go to Edit > Find and type: {8A61098D-612B-4EF2-943D-64E920684061}, then press OK.
3. You should encounter a key like this:
HKEY_CLASSES_ROOT\CLSID\{8A61098D-612B-4EF2-943D-64E920684061}
Go to InProcServer32 and copy down the value. It should be something like this:
C:\Windows\System32\yayvwxu.dll
4. Open Notepad and write:
del C:\Windows\System32\yayvwxu.dll
(replace this with the name of the file that you have written down earlier)
Go to File > Save, and for the File type select All files. Save it in the root of the C:\ drive with the name remove.bat.
5. Open regedit, navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Double-click on System and write the value C:\remove.bat.
6. Now restart the computer.
When Windows starts, open Windows Explorer and see if the file was deleted.
If it was, open regedit, go to Edit > Find and run a search for the key:
{8A61098D-612B-4EF2-943D-64E920684061}
Delete any entry that is found.
7. Delete the file:
C:\Documents and Settings\User\Local settings\Temp\removalfile.bat
8. Run a full system scan with BullGuard.
SYMPTOMS
1. Presence of the file removalfile.bat in the current user temporary folder:
C:\Documents and Settings\User\Local settings\Temp\
2. Increased network activity.
3. Unknown processes may appear in the Task Manager.
DESCRIPTION
1. Drops a .dll file with a random name in the system folder (e.q: C:\Windows\System32\yayvwxu.dll).
2. It injects itself in the running processes.
3. Creates a .bat file in the current user temp folder in order to delete itself.
C:\Documents and Settings\User\Local settings\Temp\removalfile.bat
4. Adds several registry keys that are pointing to:
HKEY_CLASSES_ROOT\CLSID\{8A61098D-612B-4EF2-943D-64E920684061
5. It tries to establish a connection to download and execute a file from 65.243.103.80.
Author:
The BullGuard Team