Vundo

Vundo
Vundo
Technical name	Vundo Variant Trojan:Win32/Vundo.[Letter] (Microsoft); Trojan:Win32/Vundo.gen![Letter] (Microsoft); Trojan.Vundo.[Letter] (Symantec); Trojan.Vundo.[Letter] (Bitdefender); Gen:Variant.Vundo.[Number] (BitDefender); TR/Drop.Vundo.J.[Number] (Avira); TR/Dldr.Vundo.J.379 (Avira); TR/Vundo.[Letter].2 (Avira); Trojan-Downloader.Win32.Vundo (Ikarus); Win-Trojan/Vundo.63488.M (AhnLab); W32/Vundo.dam[Number] (Norman); Vundo.gen[Number] (Norman); W32/Vundo.[Letter] (Norman); Win32/Vundo!generic (CA); Trojan:Win32/Vundo.[Letter] (CA); Suspicious.Vundo (FireEye); Trojan.Win32.Monder (FireEye); Vundo.gen (FireEye); Trojan:Win32/Vundo (FireEye); ; Virtumonde Variant Adware.VirtuMonde (FireEye); ;
Alias	Virtumonde; Virtumondo; Microsoft Juan;
Type	Malware
Subtype	Either computer worm or trojan horse
Family	Vundo

Last updated September 09, 2024

The Vundo Trojan (commonly known as Vundo, Virtumonde or Virtumondo, and sometimes referred to as MS Juan) is either a Trojan horse or a computer worm that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook. It also is used to deliver other malware to its host computers.^[2] Later versions include rootkits and ransomware.^[2]

Infection

A Vundo infection is typically caused either by opening an e-mail attachment carrying the trojan, or through a variety of browser exploits, including vulnerabilities in popular browser plug-ins, such as Java. Many of the popups advertise fraudulent programs such as AntiSpywareMaster, WinFixer, and AntiVirus 2009.

Virtumonde.dll consists of two main components, Browser Helper Objects and Class ID. Each of these components is in the Windows Registry under HKEY LOCAL MACHINE, and the file names are dynamic. It attaches to the system using bogus Browser Helper Objects and DLL files attached to winlogon.exe, explorer.exe and more recently, lsass.exe.

Vundo inserts registry entries to suppress Windows warnings about the disabling of firewall, antivirus, and the Automatic Updates service, disables the Automatic Updates service and quickly re-disables it if manually re-enabled, and attacks Malwarebytes' Anti-Malware, Spybot Search & Destroy, Lavasoft Ad-Aware, HijackThis, and several other malware removal tools. It frequently hides itself from Vundofix and Combofix. Rather than pushing fake antivirus products, the new "ad" popups for the drive by download attacks are copies of ads by major corporations, faked so that simply closing them allows the drive-by download exploit to insert the payload into the user's computer.

Symptoms

Since there are many different varieties of Vundo trojans, symptoms of Vundo vary widely, ranging from the relatively benign to the severe. Almost all varieties of Vundo feature some sort of pop-up advertising as well as rooting themselves to make them difficult to delete.

Computers infected exhibit some or all of the following symptoms:

Vundo will cause the infected web browser to pop up advertisements, many of which claim a need for software to fix system "deterioration".
The desktop background may be changed to the image of an installation window saying there is adware on the computer.
The screensaver may be changed to the Blue Screen of Death.
In the Display Properties Control Panel, the background and screensaver tabs are missing because their "Hide" values in the Registry were changed to 1.
Both the background and screensaver are in the System32 folder, however the screensaver cannot be deleted.
Windows Automatic Updates (and other web-based services) may also be disabled and it is not possible to turn them back on.
Infected DLLs or DAT files (with randomized names such as "__c00369AB.dat" and "slmnvnk.dll") will be present in the Windows/System32 folder and references to the DLLs will be found in the user's start up (viewable in MSConfig), registry, and as browser add-ons in Internet Explorer.
Vundo may attempt to prevent the user from removing it or otherwise impede its operation, such as by disabling the task manager, registry editor, and msconfig, thereby preventing the system from booting into safe mode.
Some firewalls or antivirus software may also be disabled by Vundo leaving the system even more vulnerable. Especially, it disables Norton AntiVirus and in turn uses it to spread the infection. Norton will show prompts to enable phishing filter, all by itself. Upon pressing OK, it will try to connect to real-av.org and download more malware.
Popular anti-malware programs such as Spybot – Search & Destroy or Malwarebytes may be deleted or immediately closed upon loading. Renaming the program executable can work around this. Malwarebytes's executable may be deleted as soon as it is installed (depending on the system's infection). Installing the program on another computer and copying the executable into the infected computer's Malwarebytes directory usually works too.
Web access may also be negatively affected. Vundo may cause many websites to be inaccessible.
Search engine links may be redirected to rogue security software sites, which can be avoided by copy and pasting addresses.
MS Juan may cause webpages to fail to load after sessions of browsing and present a blank page in the browser instead of the webpage. When this happens any programs may also fail to start and it may become impossible to use windows shutdown.
The hard drive may start to be constantly accessed by the winlogon.exe process, thus periodic freezes may be experienced.
Display pop-ups and also is additionally efficient in injecting promotions into search results.
Warnings about SuperMWindow not shutting down may occur.^[3]
Explorer.exe may constantly crash resulting in an endless loop of crashing then restarting.
Creates a virus critical driver in C:\Windows\system32\drivers (ati0dgxx.sys).
The virus can "eat" away at available hard drive space; hard drive space can fluctuate as much as +3 to -3 Gb of space, evident of Vundo's attempt at "hiding" when being antagonized.
Vundo can impede download progress.
Entering safe mode after attempting to use HijackThis results in a true Blue Screen of Death, which cannot be recovered from without either restoring the deleted safe mode registry keys, or a reinstalled version of Windows.
The virus sometimes gives a "Run a DLL as an APP" error when some of the randomly named DLLs have been deleted.
The virus will rewrite randomly named DLLs while any of them reside on machine.
The virus changes \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and RunOnce entries to start itself when Windows starts.
The virus installs adware that is sometimes pornographic.
The virus installs rogue security software such as Desktop Defender 2010 and Security Center with a .wav file telling the user that their system is infected.
The virus will cause the network driver to be corrupt which even after going into Registry Editor (regedit.exe) to delete Winsock 1 and 2 and trying to reinstall the driver is virtually impossible.
The virus deletes the network connection under My Network Places.

Related Research Articles

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

A Browser Helper Object (BHO) is a DLL module designed as a plugin for the Microsoft Internet Explorer web browser to provide added functionality. BHOs were introduced in October 1997 with the release of version 4 of Internet Explorer. Most BHOs are loaded once by each new instance of Internet Explorer. However, in the case of Windows Explorer, a new instance is launched for each window.

Scareware is a form of malware which uses social engineering to cause shock, anxiety, or the perception of a threat in order to manipulate users into buying unwanted software. Scareware is part of a class of malicious software that includes rogue security software, ransomware and other scam software that tricks users into believing their computer is infected with a virus, then suggests that they download and pay for fake antivirus software to remove it. Usually the virus is fictional and the software is non-functional or malware itself. According to the Anti-Phishing Working Group, the number of scareware packages in circulation rose from 2,850 to 9,287 in the second half of 2008. In the first half of 2009, the APWG identified a 585% increase in scareware programs.

Norton AntiVirus is an anti-virus or anti-malware software product founded by Peter Norton, developed and distributed by Symantec since 1990 as part of its Norton family of computer security products. It uses signatures and heuristics to identify viruses. Other features included in it are e-mail spam filtering and phishing protection.

System Restore is a feature in Microsoft Windows that allows the user to revert their computer's state to that of a previous point in time, which can be used to recover from system malfunctions or other problems. First included in Windows Me, it has been included in all following desktop versions of Windows released since, excluding Windows Server. In Windows 10, System Restore is turned off by default and must be enabled by users in order to function. This does not affect personal files such as documents, music, pictures, and videos.

<span class="mw-page-title-main">Winlogon</span> Component of Microsoft Windows operating systems

Winlogon is the component of Microsoft Windows operating systems that is responsible for handling the secure attention sequence, loading the user profile on logon, creates the desktops for the window station, and optionally locking the computer when a screensaver is running. The roles and responsibilities of Winlogon have changed significantly in Windows Vista and later operating systems.

Browser hijacking is a form of unwanted software that modifies a web browser's settings without a user's permission, to inject unwanted advertising into the user's browser. A browser hijacker may replace the existing home page, error page, or search engine with its own. These are generally used to force hits to a particular website, increasing its advertising revenue.

<span class="mw-page-title-main">WinFixer</span> Rogue security software

WinFixer was a family of scareware rogue security programs developed by Winsoftware which claimed to repair computer system problems on Microsoft Windows computers if a user purchased the full version of the software. The software was mainly installed without the user's consent. McAfee claimed that "the primary function of the free version appears to be to alarm the user into paying for registration, at least partially based on false or erroneous detections." The program prompted the user to purchase a paid copy of the program.

Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer. It is a form of scareware that manipulates users through fear, and a form of ransomware. Rogue security software has been a serious security threat in desktop computing since 2008. An early example that gained infamy was SpySheriff and its clones, such as Nava Shield.

SpySheriff is malware that disguises itself as anti-spyware software. It attempts to mislead the user with false security alerts, threatening them into buying the program. Like other rogue antiviruses, after producing a list of false threats, it prompts the user to pay to remove them. The software is particularly difficult to remove, since it nests its components in System Restore folders, and also blocks some system management tools. However, SpySheriff can be removed by an experienced user, antivirus software, or by using a rescue disk.

The Zlob Trojan, identified by some antiviruses as Trojan.Zlob, is a Trojan horse which masquerades as a required video codec in the form of ActiveX. It was first detected in late 2005, but only started gaining attention in mid-2006.

MonaRonaDona is a browser hijacker that uses unique tactics through popups or alert messages stating that you are infected with a virus. It uses this message to send users on a hunt for a MonaRonaDona remedy only to run into other malicious websites.

<span class="mw-page-title-main">Conficker</span> Computer worm

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 SQL Slammer worm.

Malwarebytes Inc. is an American Internet security company that specializes in protecting home computers, smartphones, and companies from malware and other threats. It has offices in Santa Clara, California; Clearwater, Florida; Tallinn, Estonia; Bastia Umbra, Italy; and Cork, Ireland.

MS Antivirus is a scareware rogue anti-virus which purports to remove virus infections found on a computer running Microsoft Windows. It attempts to scam the user into purchasing a "full version" of the software. The company and the individuals behind Bakasoftware operated under other different 'company' names, including Innovagest2000, Innovative Marketing Ukraine, Pandora Software, LocusSoftware, etc.

Sality is the classification for a family of malicious software (malware), which infects Microsoft Windows systems files. Sality was first discovered in 2003 and has advanced to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet to relay spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks to process intensive tasks. Since 2010, certain variants of Sality have also incorporated rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered one of the most complex and formidable forms of malware to date.

Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

InstallCore was an installation and content distribution platform created by ironSource, including a software development kit (SDK) for Windows and Mac OS X. The program allowed those using it for distribution to include monetization by advertisements or charging for installation, and made its installations invisible to the user and its anti-virus software.

A potentially unwanted program (PUP) or potentially unwanted application (PUA) is software that a user may perceive as unwanted or unnecessary. It is used as a subjective tagging criterion by security and parental control products. Such software may use an implementation that can compromise privacy or weaken the computer's security. Companies often bundle a wanted program download with a wrapper application and may offer to install an unwanted application, and in some cases without providing a clear opt-out method. Antivirus companies define the software bundled as potentially unwanted programs which can include software that displays intrusive advertising (adware), or tracks the user's Internet usage to sell information to advertisers (spyware), injects its own advertising into web pages that a user looks at, or uses premium SMS services to rack up charges for the user. A growing number of open-source software projects have expressed dismay at third-party websites wrapping their downloads with unwanted bundles, without the project's knowledge or consent. Nearly every third-party free download site bundles their downloads with potentially unwanted software. The practice is widely considered unethical because it violates the security interests of users without their informed consent. Some unwanted software bundles install a root certificate on a user's device, which allows hackers to intercept private data such as banking details, without a browser giving security warnings. The United States Department of Homeland Security has advised removing an insecure root certificate, because they make computers vulnerable to serious cyberattacks. Software developers and security experts recommend that people always download the latest version from the official project website, or a trusted package manager or app store.

References

↑ "FireEye Event Description: Trojan.Vundo".
1 2 Bell, Henry; Chien, Eric (March 17, 2010). "Trojan.Vundo". Symantec Security Response. Symantec. Archived from the original on December 13, 2006. Retrieved March 14, 2012.
↑ SuperMWindow - A New Vundo.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "FireEye Event Description: Trojan.Vundo".

[Symantec-2] 1 2 Bell, Henry; Chien, Eric (March 17, 2010). "Trojan.Vundo". Symantec Security Response. Symantec. Archived from the original on December 13, 2006. Retrieved March 14, 2012.

[atribune-3] SuperMWindow - A New Vundo.

[1]

[2]

[3]

Vundo
Technical name	Vundo Variant Trojan:Win32/Vundo.[Letter] (Microsoft) Trojan:Win32/Vundo.gen![Letter] (Microsoft) Trojan.Vundo.[Letter] (Symantec) Trojan.Vundo.[Letter] (Bitdefender) Gen:Variant.Vundo.[Number] (BitDefender) TR/Drop.Vundo.J.[Number] (Avira) TR/Dldr.Vundo.J.379 (Avira) TR/Vundo.[Letter].2 (Avira) Trojan-Downloader.Win32.Vundo (Ikarus) Win-Trojan/Vundo.63488.M (AhnLab) W32/Vundo.dam[Number] (Norman) Vundo.gen[Number] (Norman) W32/Vundo.[Letter] (Norman) Win32/Vundo!generic (CA) Trojan:Win32/Vundo.[Letter] (CA) Suspicious.Vundo (FireEye)^[1] Trojan.Win32.Monder (FireEye) Vundo.gen (FireEye) Trojan:Win32/Vundo (FireEye) Virtumonde Variant Adware.VirtuMonde (FireEye)
Alias	Virtumonde Virtumondo Microsoft Juan
Type	Malware
Subtype	Either computer worm or trojan horse
Family	Vundo

Vundo

Contents

Infection

Symptoms

Related Research Articles

References