Vundo Trojan (Virtumonde)
Vundo Trojan (Virtumonde)
Although first discovered in May 2007, this little nasty still infects numerous computers world wide and therefore still classes as a threat, with a high spreading potential & inflicting medium damage.
Trojan.Vundo
( Virtumonde )
Spreading: very high
Damage: medium
Size: approx 50 kb
Discovered: 2007 May 25
SYMPTOMS:
Presence of numerous popups including some that look very much like Windows Defender or even Symantec, also nearly always requests payment to remove infections, yet in all cases even after payment the infection continues.
TECHNICAL DESCRIPTION:
The vundo trojan is usually a dll with a random name located in system32 directory. The length of the file name is usually 5 to 7 characters (depending on the version).
The malware usually consists of 6 threads named Main thread, Protection thread, Registry Thread, File thread, IEEvents thread, Stop and Recover thread. The malware has the capability of writing informations about each of these threads in a log file (eventhough most of the versions don’t do that). The malware performs different actions depending on the place where it runs. If it runs from lsass.exe or winlogon.exe it starts the protection mutex. If it runs from Internet Explorer it starts the IEEvents thread.
The malware usually shows popups (about 100 per day) telling users that they are infected and asking them to download rogue antispyware programs like (SysProtect,Storage Protect and WinFixer)
To test that the trojan is allready installed on the victim’s computer, Vundo tests the existence of a mutex called VMProtectionMutex.
To start when the computer starts the trojan adds itself to
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
It searches some of the most known antispyware programs and tries to inject in them. For example:
it searches awx_mutant mutex and if it finds it tries to inject in ad-aware.exe (Lavasoft ad-aware)
it searches ssw_mutant mutex and if it finds it tries to inject into wrsssdk.exe(Webroot Spysweeper’s)
it searches hjt_mutant mutex and if it finds it tries to inject into hijackthis.exe. Because of this many hijackthis logs do not show the existence of the vundo trojan.
It also injects into Explorer.exe, firefox.exe and mozilla.exe .
Some versions of the Vundo trojan test the existence of the virtual machine VMWare. If it finds this virtual machine the malware will start corupting its stack.
Other protection methods are:
It deletes all restore points from 0 to 1000 and creates a new restore point with the name “Last known good configuration”.
It searches for a window of the SpywareDoctor with the class TfrmSbPrompt and then searches within it for another window that contains two buttons (Yes/NO) and performs a click on the button Yes.
It deletes all the registry keys from PendingFileRenameOperations that refers the the trojan dll.
The sinchronization between threads is performed using mutexes with random name, optained by encrypting the serial number of the first drive.
It collects various informations about the infected computer and sends it to server. For example, it gets:
all ip addresses;
the name of the computer
windows version
internet explorer version
time zone
language
to which user and organization is the OS registered
MAC addresses
POP3 name
SMTP name
Number of processors
If the user is adminstrator
Proxy address (if the computer is behind a proxy)
It also retrieves informations about the infection:
Last successfull connection
How many times it connected to the server
The path to the infected dll.
It also retrieves informations about the architecture of the computer:
Processor architecture,
Processor Family,
Physical Memory
Informations about each fixed drive (name,serial, Total Space, Free Space)
Default browser
Date of the trojan installation.
The data is added to a http header, crypted and sent to the server. It then retrieves some data from server like the number of popups to show each day (usually 100).
Removal instructions:
This can be a particularly difficult piece of malware to remove and to be perfectly honest with you the only two methods I found to be 100% effective were, Spyware Doctor from PC-Tools (there is actually a free version available on their website) or the only other method was a full format of the HDD. The problem I have often found is that if left for some time before attempting to remove it, the infection seems to get much worse, so much so that even after using Spyware Doctor you will often find that the PC will fail to re-boot. This is obviously due to critical files being deleted from the sys32 folder during removal. Early action is needed if you are to have a successful removal.
Please let BitDefender disinfect your files.
HELP MAINTAIN THIS FREE SERVICE
Please Donate $1.00 to our coffee fund, using the Secure Paypal Donation button on the right.
Any questions, comments or suggestions may be left in the comments box below ! Thanks
Leave a Reply
You must be logged in to post a comment.