Vundo
From Wikipedia, the free encyclopedia
Vundo, or the Vundo Trojan (also known as Virtumonde or Virtumondo) is a Trojan horse that is known to cause popups and advertising for rogue antispyware programs.
Contents |
[edit] Infection
Vundo infects victims' computers by exploiting a vulnerability in Sun Java 1.5 and earlier versions. Many of the popups advertise programs including (but not limited to) Sysprotect, Storage Protector and WinFixer. It attaches to the system using bogus Browser Helper Objects and DLL files attached to Winlogon and Explorer.exe.
As the virus is resident in memory and attached to Explorer.Exe and Winlogon, they must be stopped before trying to remove the virus. Without Winlogon, there is no way to reboot the pc, so a forced reboot is needed, as when Winlogon re-starts, the virus files are recreated.
[edit] Symptoms
Vundo will periodically show popups claiming that the computer's performance is "deteriorating", and that the user must download or buy (bogus) security software to fix this. ULWindowSeek or ULWindowURL popups are also a symptom of this virus. Many virus removal programs will remove some of these hidden files but not the actual DLL which has a random name. Some versions of Vundo will also create .ini and .ini2 files with random names. These files may be marked as hidden system files. While these can be deleted easily, the DLL usually cannot be removed because the file is in use as soon as Winlogon starts. If the DLL is removed but not the other files, they will make a new DLL with a different random name.
Depending on versions, Vundo attempts to prevent the user from removing it or otherwise impede its operation, such as by disabling the task manager or Windows registry editor.
[edit] References
[edit] See also
- VundoFix - Tool for removing Vundo infections