Vundo: Difference between revisions
Whether it's helpful or not isn't the issue - it doesn't belong in Wikipedia |
|||
| Line 32: | Line 32: | ||
==External links== |
==External links== |
||
<!-- Please don't add links to the spyware-remover-du-jour --> |
<!-- Please don't add links to the spyware-remover-du-jour --> |
||
*[http://www.vundo.org Vundo removal site] |
|||
*[http://www.exterminate-it.com/malpedia/remove-vundo-virtumondo Vundo related files, dirs, registry keys & values] |
*[http://www.exterminate-it.com/malpedia/remove-vundo-virtumondo Vundo related files, dirs, registry keys & values] |
||
*[http://bbayles.googlepages.com/antivundo.html Bo Bayles Annex guide to removing Virtumonde DLL's] |
*[http://bbayles.googlepages.com/antivundo.html Bo Bayles Annex guide to removing Virtumonde DLL's] |
||
Revision as of 21:57, 10 August 2008
Vundo, or the Vundo Trojan (also known as Virtumonde or Virtumondo and sometimes referred to as MS Juan) is a Trojan horse that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degredation and denial of service with some websites including Google.
Infection
Vundo infects victims' computers by exploiting a vulnerability in Sun Java 1.5 and earlier versions (but its also confirmed to infect system with a more recent version of java). Many of the popups advertise programs including (but not limited to) Sysprotect, Storage Protector, AntiSpyware Master, and WinFixer. It attaches to the system using bogus Browser Helper Objects and DLL files attached to Winlogon and Explorer.exe.
As the virus is resident in memory and attached to Explorer.Exe and Winlogon, they must be stopped before trying to remove the virus. Without Winlogon, there is no way to reboot the pc, so a forced reboot is needed, as when Winlogon re-starts, the virus files are recreated. Internet Explorer, Mozilla Firefox, and Opera are affected by this trojan, but Apple Safari seems to be unaffected by the Trojan's .dll file. The trojan's DLL files are named with eight random upper- and lower-case characters and stored in the Windows system32 directory. Many virus removal programs will remove some of the trojan-created hidden files but not the actual running DLL. The DLL cannot be removed because the file is in use as soon as Winlogon starts. If some but not all of the trojan's files are removed, it will make a new DLL with a different random name.
Symptoms
The most obvious sign of infection are the pop ups. Vundo will cause the infected web browser to pop up advertisements; many of which claim a need for software to fix system "deterioration".
Infected DLLs (with randomized names) will be present in the Windows/System32 folder and references to the DLLs will be found in the user's start up (viewable in MSConfig), registry, and as browser add ons in Internet Explorer.
Depending on the version of the virus the following symptoms may or may not be present:
Vundo may attempt to prevent the user from removing it or otherwise impede its operation, such as by disabling the task manager or Windows registry editor. Another symptom of Vundo may be the desktop icons will disappear and so will the taskbar and reappear after a short period. This becomes very frustrating if you are trying to run programs as they get automatically aborted.
Web access may also be negatively affected. Vundo may cause many websites to be unaccessible; these websites will just hang.
The hard drive may start to be constantly accessed by the winlogon process.