Vundo

Vundo

Vundo, or the Vundo Trojan (also known as Virtumonde or Virtumondo and sometimes referred to as MS Juan) is a Trojan horse that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google.

Infection

Vundo infects victims' computers by exploiting a vulnerability in Sun Java 1.5.0_7 (aka Version 5.0 release 7), [ [http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1 Sun Microsystems Sun Alert Solution 200106 : Security Vulnerabilities in the Java Runtime Environment may Allow Untrusted Applets to Elevate Privileges and Execute Arbitrary Code] ] and earlier versions.Many of the popups advertise programs including (but not limited to) Sysprotect, Storage Protector, AntiSpyware Master, and WinFixer. It attaches to the system using bogus Browser Helper Objects and DLL files attached to Winlogon and Explorer.exe.

As the virus is resident in memory and attached to Explorer.Exe and Winlogon, they must be stopped before trying to remove the virus. Without Winlogon, there is no way to reboot the pc, so a forced reboot is needed, as when Winlogon re-starts, the virus files are recreated. Internet Explorer, Mozilla Firefox, and Opera are affected by this trojan, but Apple Safari seems to be unaffected by the Trojan's .dll file. The trojan's DLL files are named with eight random upper- and lower-case characters and stored in the Windows "system32" directory. Many virus removal programs will remove some of the trojan-created hidden files but not the actual running DLL. The DLL cannot be removed by conventional means because the file is in use as soon as Winlogon starts. However, utilities (such as Zap and Dr. Delete) exist that will delete files that are in use. If some but not all of the trojan's files are removed, it will make a new DLL with a different random name.

ymptoms

The most obvious sign of infection are the pop ups. Vundo will cause the infected web browser to pop up advertisements; many of which claim a need for software to fix system "deterioration".The user's desktop background is changed to the image of an installation window saying there is adware on the computer. The screensaver is also changed to the Blue Screen. When the user tries to change the background and screensaver back to their original by going to the Display Properties, the background and screensaver tabs are missing because their "Hide" values in the Registry were changed to 1. Both the background and screensaver are in the System32 folder, however the screensaver cannot be deleted.

Infected DLLs (with randomized names such as "__c00369AB.dat") will be present in the Windows/System32 folder and references to the DLLs will be found in the user's start up (viewable in MSConfig), registry, and as browser add ons in Internet Explorer.

Depending on the version of the virus the following symptoms may or may not be present:

Vundo may attempt to prevent the user from removing it or otherwise impede its operation, such as by disabling the task manager or Windows registry editor. Another symptom of Vundo may be the desktop icons will disappear and so will the taskbar and reappear after a short period. This becomes very frustrating if you are trying to run programs as they get automatically aborted.

Web access may also be negatively affected. Vundo may cause many websites to be unaccessible; these websites may just hang. The hard drive may start to be constantly accessed by the winlogon process.

Symptoms may also include the disabling of Windows Automatic Updates or other web-based services.

Information

On infected systems, there is usually a listing for "MS Juan" inside of the registry. This is a part of where your browsers are being hijacked from disallowing you to navigate certain sites. There will be a listing of your search page listed which also calls upon a random windows dll file causing the search functions on that site to not work. Some known website navigation disablings are doing Google searches, accessing Hotmail or MySpace. The webpages usually just hang there.

References

* [http://forums.techguy.org/6071539-post10.html Windows Warning Message]
* [http://vil.nai.com/vil/content/v_127690.htm McAfee's information on the Vundo trojan]
* [http://www.symantec.com/security_response/writeup.jsp?docid=2004-112111-3912-99 Trojan.Vundo - Symantec.com]

External links

* [http://www.exterminate-it.com/malpedia/remove-vundo-virtumondo Vundo related files, dirs, registry keys & values]
* [http://bbayles.googlepages.com/antivundo.html Bo Bayles Annex guide to removing Virtumonde DLL's]
* [http://us.mcafee.com/virusInfo/vil/alphar_app.asp?char=Vundo List of Vundo generation discovered by McAfee]
* [http://onecare.live.com/site/en-us/virusenc/virussearch.htm?VirusSearch=Vundo All Vundo generation discovered by Microsoft Windows Live OneCare]


Wikimedia Foundation. 2010.

Игры ⚽ Поможем сделать НИР

Look at other dictionaries:

  • Antivirus software — Antivirus redirects here. For antiviral medication, see Antiviral drug. Antivirus or anti virus software is used to prevent, detect, and remove malware, including but not limited to computer viruses, computer worm, trojan horses, spyware and… …   Wikipedia

  • VundoFix — Infobox Software name = VundoFix developer = Atribune released = September 7, 2005 (last posted) latest release version = 7.0.6 operating system = Windows 95 and later genre = Anti trojan, specifically for Vundo and Virtumonde variants license =… …   Wikipedia

  • WinFixer — Developer(s) Innovative Marketing, Inc. Development status Shutdown by the United States Government; similar scams may still exist Operating system Microsoft Windows Type Scareware …   Wikipedia

  • Timeline of computer viruses and worms — Contents 1 1960–1969 1.1 1966 2 1970–1979 2.1 1 …   Wikipedia

  • Spyware — is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically,… …   Wikipedia

  • List of trojan horses — *AytonScape *Bandook *Beast Trojan *Bifrost * Downloader.Zlob *Bohmini.A *Generic8.LDI *Generic9.ABWM *Generic9.ZYW *Graybird (Backdoor Graybird, Backdoor Graybird P) *Insurrection *Koobface (attacks through social networking message links)… …   Wikipedia

  • MonaRonaDona — Common name MonaRonaDona Technical name MonaRonaDona Aliases TROJ MONAGRAY.A Family Vundo Trojan Classification Browser Hijacker Type Microsoft Windows …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”