- Vundo
Vundo, or the Vundo Trojan (also known as Virtumonde or Virtumondo and sometimes referred to as MS Juan) is a Trojan horse that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and
denial of service with some websites includingGoogle .Infection
Vundo infects victims' computers by exploiting a vulnerability in Sun Java 1.5.0_7 (aka Version 5.0 release 7), [ [http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1 Sun Microsystems Sun Alert Solution 200106 : Security Vulnerabilities in the Java Runtime Environment may Allow Untrusted Applets to Elevate Privileges and Execute Arbitrary Code] ] and earlier versions.Many of the popups advertise programs including (but not limited to)
Sysprotect ,Storage Protector ,AntiSpyware Master , andWinFixer . It attaches to the system using bogusBrowser Helper Objects and DLL files attached toWinlogon and Explorer.exe.As the virus is resident in memory and attached to Explorer.Exe and Winlogon, they must be stopped before trying to remove the virus. Without Winlogon, there is no way to reboot the pc, so a forced reboot is needed, as when Winlogon re-starts, the virus files are recreated.
Internet Explorer ,Mozilla Firefox , and Opera are affected by this trojan, butApple Safari seems to be unaffected by the Trojan's .dll file. The trojan's DLL files are named with eight random upper- and lower-case characters and stored in theWindows "system32" directory. Many virus removal programs will remove some of the trojan-created hidden files but not the actual running DLL. The DLL cannot be removed by conventional means because the file is in use as soon as Winlogon starts. However, utilities (such as Zap and Dr. Delete) exist that will delete files that are in use. If some but not all of the trojan's files are removed, it will make a new DLL with a different random name.ymptoms
The most obvious sign of infection are the pop ups. Vundo will cause the infected web browser to pop up advertisements; many of which claim a need for software to fix system "deterioration".The user's desktop background is changed to the image of an installation window saying there is adware on the computer. The screensaver is also changed to the Blue Screen. When the user tries to change the background and screensaver back to their original by going to the Display Properties, the background and screensaver tabs are missing because their "Hide" values in the Registry were changed to 1. Both the background and screensaver are in the System32 folder, however the screensaver cannot be deleted.
Infected DLLs (with randomized names such as "__c00369AB.dat") will be present in the Windows/System32 folder and references to the DLLs will be found in the user's start up (viewable in MSConfig), registry, and as browser add ons in Internet Explorer.
Depending on the version of the virus the following symptoms may or may not be present:
Vundo may attempt to prevent the user from removing it or otherwise impede its operation, such as by disabling the task manager or Windows registry editor. Another symptom of Vundo may be the desktop icons will disappear and so will the taskbar and reappear after a short period. This becomes very frustrating if you are trying to run programs as they get automatically aborted.
Web access may also be negatively affected. Vundo may cause many websites to be unaccessible; these websites may just hang. The hard drive may start to be constantly accessed by the winlogon process.
Symptoms may also include the disabling of Windows Automatic Updates or other web-based services.
Information
On infected systems, there is usually a listing for "MS Juan" inside of the registry. This is a part of where your browsers are being hijacked from disallowing you to navigate certain sites. There will be a listing of your search page listed which also calls upon a random windows dll file causing the search functions on that site to not work. Some known website navigation disablings are doing Google searches, accessing
Hotmail orMySpace . The webpages usually just hang there.References
* [http://forums.techguy.org/6071539-post10.html Windows Warning Message]
* [http://vil.nai.com/vil/content/v_127690.htm McAfee's information on the Vundo trojan]
* [http://www.symantec.com/security_response/writeup.jsp?docid=2004-112111-3912-99 Trojan.Vundo - Symantec.com]External links
* [http://www.exterminate-it.com/malpedia/remove-vundo-virtumondo Vundo related files, dirs, registry keys & values]
* [http://bbayles.googlepages.com/antivundo.html Bo Bayles Annex guide to removing Virtumonde DLL's]
* [http://us.mcafee.com/virusInfo/vil/alphar_app.asp?char=Vundo List of Vundo generation discovered byMcAfee ]
* [http://onecare.live.com/site/en-us/virusenc/virussearch.htm?VirusSearch=Vundo All Vundo generation discovered byMicrosoft Windows Live OneCare ]
Wikimedia Foundation. 2010.