The Vundo Trojan (commonly known as Vundo, Virtumonde or Virtumondo, and sometimes referred to as MS Juan) is either a Trojan horse or a computer worm that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook. It also is used to deliver other malware to its host computers.[2] Later versions include rootkits and ransomware.[2]

Vundo
Technical name
  • Vundo Variant
    • Trojan:Win32/Vundo.[Letter] (Microsoft)
    • Trojan:Win32/Vundo.gen![Letter] (Microsoft)
    • Trojan.Vundo.[Letter] (Symantec)
    • Trojan.Vundo.[Letter] (Bitdefender)
    • Gen:Variant.Vundo.[Number] (BitDefender)
    • TR/Drop.Vundo.J.[Number] (Avira)
    • TR/Dldr.Vundo.J.379 (Avira)
    • TR/Vundo.[Letter].2 (Avira)
    • Trojan-Downloader.Win32.Vundo (Ikarus)
    • Win-Trojan/Vundo.63488.M (AhnLab)
    • W32/Vundo.dam[Number] (Norman)
    • Vundo.gen[Number] (Norman)
    • W32/Vundo.[Letter] (Norman)
    • Win32/Vundo!generic (CA)
    • Trojan:Win32/Vundo.[Letter] (CA)
    • Suspicious.Vundo (FireEye)[1]
    • Trojan.Win32.Monder (FireEye)
    • Vundo.gen (FireEye)
    • Trojan:Win32/Vundo (FireEye)
  • Virtumonde Variant
    • Adware.VirtuMonde (FireEye)
Alias
  • Virtumonde
  • Virtumondo
  • Microsoft Juan
TypeMalware
SubtypeEither computer worm or trojan horse
FamilyVundo

Infection

edit

A Vundo infection is typically caused either by opening an e-mail attachment carrying the trojan, or through a variety of browser exploits, including vulnerabilities in popular browser plug-ins, such as Java. Many of the popups advertise fraudulent programs such as AntiSpywareMaster, WinFixer, and AntiVirus 2009.

Virtumonde.dll consists of two main components, Browser Helper Objects and Class ID. Each of these components is in the Windows Registry under HKEY LOCAL MACHINE, and the file names are dynamic. It attaches to the system using bogus Browser Helper Objects and DLL files attached to winlogon.exe, explorer.exe and more recently, lsass.exe.

Vundo inserts registry entries to suppress Windows warnings about the disabling of firewall, antivirus, and the Automatic Updates service, disables the Automatic Updates service and quickly re-disables it if manually re-enabled, and attacks Malwarebytes' Anti-Malware, Spybot Search & Destroy, Lavasoft Ad-Aware, HijackThis, and several other malware removal tools. It frequently hides itself from Vundofix and Combofix. Rather than pushing fake antivirus products, the new "ad" popups for the drive by download attacks are copies of ads by major corporations, faked so that simply closing them allows the drive-by download exploit to insert the payload into the user's computer.

Symptoms

edit

Since there are many different varieties of Vundo trojans, symptoms of Vundo vary widely, ranging from the relatively benign to the severe. Almost all varieties of Vundo feature some sort of pop-up advertising as well as rooting themselves to make them difficult to delete.

Computers infected exhibit some or all of the following symptoms:

  • Vundo will cause the infected web browser to pop up advertisements, many of which claim a need for software to fix system "deterioration".
  • The desktop background may be changed to the image of an installation window saying there is adware on the computer.
  • The screensaver may be changed to the Blue Screen of Death.
  • In the Display Properties Control Panel, the background and screensaver tabs are missing because their "Hide" values in the Registry were changed to 1.
  • Both the background and screensaver are in the System32 folder, however the screensaver cannot be deleted.
  • Windows Automatic Updates (and other web-based services) may also be disabled and it is not possible to turn them back on.
  • Infected DLLs or DAT files (with randomized names such as "__c00369AB.dat" and "slmnvnk.dll") will be present in the Windows/System32 folder and references to the DLLs will be found in the user's start up (viewable in MSConfig), registry, and as browser add-ons in Internet Explorer.
  • Vundo may attempt to prevent the user from removing it or otherwise impede its operation, such as by disabling the task manager, registry editor, and msconfig, thereby preventing the system from booting into safe mode.
  • Some firewalls or antivirus software may also be disabled by Vundo leaving the system even more vulnerable. Especially, it disables Norton AntiVirus and in turn uses it to spread the infection. Norton will show prompts to enable phishing filter, all by itself. Upon pressing OK, it will try to connect to real-av.org and download more malware.
  • Popular anti-malware programs such as Spybot – Search & Destroy or Malwarebytes may be deleted or immediately closed upon loading. Renaming the program executable can work around this. Malwarebytes's executable may be deleted as soon as it is installed (depending on the system's infection). Installing the program on another computer and copying the executable into the infected computer's Malwarebytes directory usually works too.
  • Web access may also be negatively affected. Vundo may cause many websites to be inaccessible.
  • Search engine links may be redirected to rogue security software sites, which can be avoided by copy and pasting addresses.
  • MS Juan may cause webpages to fail to load after sessions of browsing and present a blank page in the browser instead of the webpage. When this happens any programs may also fail to start and it may become impossible to use windows shutdown.
  • The hard drive may start to be constantly accessed by the winlogon.exe process, thus periodic freezes may be experienced.
  • Display pop-ups and also is additionally efficient in injecting promotions into search results.
  • Warnings about SuperMWindow not shutting down may occur.[3]
  • Explorer.exe may constantly crash resulting in an endless loop of crashing then restarting.
  • Creates a virus critical driver in C:\Windows\system32\drivers (ati0dgxx.sys).
  • The virus can "eat" away at available hard drive space; hard drive space can fluctuate as much as +3 to -3 Gb of space, evident of Vundo's attempt at "hiding" when being antagonized.
  • Vundo can impede download progress.
  • Entering safe mode after attempting to use HijackThis results in a true Blue Screen of Death, which cannot be recovered from without either restoring the deleted safe mode registry keys, or a reinstalled version of Windows.
  • The virus sometimes gives a "Run a DLL as an APP" error when some of the randomly named DLLs have been deleted.
  • The virus will rewrite randomly named DLLs while any of them reside on machine.
  • The virus changes \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and RunOnce entries to start itself when Windows starts.
  • The virus installs adware that is sometimes pornographic.
  • The virus installs rogue security software such as Desktop Defender 2010 and Security Center with a .wav file telling the user that their system is infected.
  • The virus will cause the network driver to be corrupt which even after going into Registry Editor (regedit.exe) to delete Winsock 1 and 2 and trying to reinstall the driver is virtually impossible.
  • The virus deletes the network connection under My Network Places.

References

edit
  1. ^ "FireEye Event Description: Trojan.Vundo".
  2. ^ a b Bell, Henry; Chien, Eric (March 17, 2010). "Trojan.Vundo". Symantec Security Response. Symantec. Archived from the original on December 13, 2006. Retrieved March 14, 2012.
  3. ^ SuperMWindow - A New Vundo.