Vundo Trojan (Virtumonde)

Although first discovered in May 2007, this little nasty still infects numerous computers world wide and therefore still classes as a threat, with a high spreading potential & inflicting medium damage.red-virus-icon

Trojan.Vundo
( Virtumonde )
Spreading: very high
Damage: medium
Size: approx 50 kb
Discovered: 2007 May 25

SYMPTOMS:

Presence of numerous popups including some that look very much like Windows Defender or even Symantec, also nearly always requests payment to remove infections, yet in all cases even after payment the infection continues.

TECHNICAL DESCRIPTION:

The vundo trojan is usually a dll with a random name located in system32 directory. The length of the file name is usually 5 to 7 characters (depending on the version).

The malware usually consists of 6 threads named Main thread, Protection thread, Registry Thread, File thread, IEEvents thread, Stop and Recover thread. The malware has the capability of writing informations about each of these threads in a log file (eventhough most of the versions don’t do that). The malware performs different actions depending on the place where it runs. If it runs from lsass.exe or winlogon.exe it starts the protection mutex. If it runs from Internet Explorer it starts the IEEvents thread.

The malware usually shows popups (about 100 per day) telling users that they are infected and asking them to download rogue antispyware programs like (SysProtect,Storage Protect and WinFixer)

To test that the trojan is allready installed on the victim’s computer, Vundo tests the existence of a mutex called VMProtectionMutex.

To start when the computer starts the trojan adds itself to

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects

It searches some of the most known antispyware programs and tries to inject in them. For example:

it searches awx_mutant mutex and if it finds it tries to inject in ad-aware.exe (Lavasoft ad-aware)

it searches ssw_mutant mutex and if it finds it tries to inject into wrsssdk.exe(Webroot Spysweeper’s)

it searches hjt_mutant mutex and if it finds it tries to inject into hijackthis.exe. Because of this many hijackthis logs do not show the existence of the vundo trojan.

It also injects into Explorer.exe, firefox.exe and mozilla.exe .

Some versions of the Vundo trojan test the existence of the virtual machine VMWare. If it finds this virtual machine the malware will start corupting its stack.

Other protection methods are:

It deletes all restore points from 0 to 1000 and creates a new restore point with the name “Last known good configuration”.

It searches for a window of the SpywareDoctor with the class TfrmSbPrompt and then searches within it for another window that contains two buttons (Yes/NO) and performs a click on the button Yes.

It deletes all the registry keys from PendingFileRenameOperations that refers the the trojan dll.

The sinchronization between threads is performed using mutexes with random name, optained by encrypting the serial number of the first drive.

It collects various informations about the infected computer and sends it to server. For example, it gets:

all ip addresses;

the name of the computer

windows version

internet explorer version

time zone

language

to which user and organization is the OS registered

MAC addresses

POP3 name

SMTP name

Number of processors

If the user is adminstrator

Proxy address (if the computer is behind a proxy)

It also retrieves informations about the infection:

Last successfull connection

How many times it connected to the server

The path to the infected dll.

It also retrieves informations about the architecture of the computer:

Processor architecture,

Processor Family,

Physical Memory

Informations about each fixed drive (name,serial, Total Space, Free Space)

Default browser

Date of the trojan installation.

The data is added to a http header, crypted and sent to the server. It then retrieves some data from server like the number of popups to show each day (usually 100).

Removal instructions:

This can be a particularly difficult piece of malware to remove and to be perfectly honest with you the only two methods I found to be 100% effective were, Spyware Doctor from PC-Tools (there is actually a free version available on their website) or the only other method was a full format of the HDD. The problem I have often found is that if left for some time before attempting to remove it, the infection seems to get much worse, so much so that even after using Spyware Doctor you will often find that the PC will fail to re-boot. This is obviously due to critical files being deleted from the sys32 folder during removal. Early action is needed if you are to have a successful removal.

Please let BitDefender disinfect your files.

 

HELP MAINTAIN THIS FREE SERVICE

Please Donate $1.00 to our coffee fund, using the Secure Paypal Donation button on the right.

Any questions, comments or suggestions may be left in the comments box below ! Thanks