Vundo

The Vundo Trojan (commonly known as Vundo, Virtumonde or Virtumondo, and sometimes referred to as MS Juan) is either a Trojan horse or a computer worm that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook. It also is used to deliver other malware to its host computers.[1] Later versions include rootkits and ransomware.[1]

Infection

A Vundo infection is typically caused either by opening an e-mail attachment carrying the trojan, or through a variety of browser exploits, including vulnerabilities in popular browser plug-ins, such as Java. Many of the popups advertise fraudulent programs such as AntiSpywareMaster, WinFixer, and AntiVirus 2009.

Virtumonde.dll consists of two main components, Browser Helper Objects and Class ID. Each of these components is in the Windows Registry under HKEY LOCAL MACHINE, and the file names are dynamic. It attaches to the system using bogus Browser Helper Objects and DLL files attached to winlogon.exe, explorer.exe and more recently, lsass.exe.

Vundo inserts registry entries to suppress Windows warnings about the disabling of firewall, antivirus, and the Automatic Updates service, disables the Automatic Updates service and quickly re-disables it if manually re-enabled, and attacks Malwarebytes' Anti-Malware, Spybot Search & Destroy, Lavasoft Ad-Aware, HijackThis, and several other malware removal tools. It frequently hides itself from Vundofix & Combofix. Rather than pushing fake antivirus products, the new "ad" popups for the drive by download attacks are copies of ads by major corporations, faked so that simply closing them allows the drive-by download exploit to insert the payload into the user's computer.

Symptoms

Since there are many different varieties of Vundo trojans, symptoms of Vundo vary widely, ranging from the relatively benign to the severe. Almost all varieties of Vundo feature some sort of pop-up advertising as well as rooting themselves to make them difficult to delete.

Computers infected exhibit some or all of the following symptoms:

References

  1. 1.0 1.1 Bell, Henry; Chien, Eric (March 17, 2010). "Trojan.Vundo". Symantec Security Response. Symantec. Retrieved March 14, 2012.
  2. SuperMWindow - A New Vundo.