THREAT NAME

Trojan.Vundo.DMA

CLEAN INSTRUCTIONS

1. Go to Start, Run type regedit and press OK.

2. Go to Edit > Find and type: {8A61098D-612B-4EF2-943D-64E920684061}, then press OK.

3. You should encounter a key like this:

HKEY_CLASSES_ROOT\CLSID\{8A61098D-612B-4EF2-943D-64E920684061}

Go to InProcServer32 and copy down the value. It should be something like this:

C:\Windows\System32\yayvwxu.dll

4. Open Notepad and write:

del C:\Windows\System32\yayvwxu.dll

(replace this with the name of the file that you have written down earlier)

Go to File > Save, and for the File type select All files. Save it in the root of the C:\ drive with the name remove.bat.

5. Open regedit, navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

Double-click on System and write the value C:\remove.bat.

6. Now restart the computer.

When Windows starts, open Windows Explorer and see if the file was deleted.

If it was, open regedit, go to Edit > Find and run a search for the key:

{8A61098D-612B-4EF2-943D-64E920684061}

Delete any entry that is found.

7. Delete the file:

C:\Documents and Settings\User\Local settings\Temp\removalfile.bat

8. Run a full system scan with BullGuard.

SYMPTOMS

1. Presence of the file removalfile.bat in the current user temporary folder:

C:\Documents and Settings\User\Local settings\Temp\

2. Increased network activity.

3. Unknown processes may appear in the Task Manager.

DESCRIPTION

1. Drops a .dll file with a random name in the system folder (e.q: C:\Windows\System32\yayvwxu.dll).

2. It injects itself in the running processes.

3. Creates a .bat file in the current user temp folder in order to delete itself.

C:\Documents and Settings\User\Local settings\Temp\removalfile.bat

4. Adds several registry keys that are pointing to:

HKEY_CLASSES_ROOT\CLSID\{8A61098D-612B-4EF2-943D-64E920684061

5. It tries to establish a connection to download and execute a file from 65.243.103.80.

Author:
The BullGuard Team