[INFO]
AnalystName=Haja
AnalystEMailID=hajan@comodo.com
Team=India
Date=19-JAN-2010
Type=Virus
Platform=Win32
SubType=
Family=Dundun
Variant=AA

[OVERVIEW]
Virus:Win32/Dundun.A is a polymorphic virus that infects .EXE files by appending its virus code to these files. 
Due to its polymorphic nature, each .EXE file may be infected in a different manner than others, thus making detection and removal more difficult.

[TECHNICAL_DESCRIPTION]
It infects .EXE files by appending its virus code into host files.
The following sections are added at end of the file.
	DENG DUN
	%blank%
It changes the Original Entry Point to main code of virus.
It injects its code into the process of explorer.exe.
It infects EXE files when they are executed.
Size of virus code may be 5025 or 5014.
When executed,it decrypts its virus code then hooks CreateFileW, which affects execution of files.
It increases the SizeOfImage to 3000h and also increases checksum to 10h.

[SYMPTOMS]
The following system changes may indicate the presence of this virus:
	It can log off the current user.
	Certain windows may be hidden or may not be visible.
	The mouse cursor may not move.

[DISINFECTION]