SaltyBlog

Virtumonde (aka Vundo) Virus Captured in the Wild

Posted on 10. Nov, 2009 by Eric in Other

I was working on a client’s computer recently when a popup suddenly appeared on top of what I was doing offering me to “Work from Home” for, of all places, Google.  “Uh oh,” I thought, what sort of nastiness lurks inside this PC? I opened a browser and tried to search for terms that appeared in the ad, only to be taken to a completely different website than my search page. “This can’t be good,” I thought.

I fired up the Norton Security control panel and confirmed that the virus definitions were up-to-date and hadn’t caught anything recently. I then ran SpyBot Search & Destroy but that also turned up nothing.  “I’m going to have to take this home overnight,” I told the client.

Once home,  I used my own PC to again search for what’s ailing this PC.  The most commonly suggested idea for unwanted popups in Windows XP was to disable Windows Messaging Service, but a quick check in the Services control panel showed that was already disabled.

So I fired up the Task Manager and started googling any running processes that I didn’t recognize.  Many were legitimate even though they sported just the sort of random names you’d expect a virus to use, but one caught my eye: virtumonde.  What’s this? Wikepedia says it’s aka the “Vundo” virus. The symptoms complete jibed with what I has seen on this PC (fta):

• Vundo will cause the infected web browser to pop up advertisements, many of which claim a need for software to fix system “deterioration”.
• In the Display Properties Control Panel, the background and screensaver tabs are missing because their “Hide” values in the Registry were changed to 1.
• Windows Automatic Updates (and other web-based services) may also be disabled and it is not possible to turn them back on.
• Infected DLLs (with randomized names such as “__c00369AB.dat” and “slmnvnk.dll”) will be present in the Windows/System32 folder and references to the DLLs will be found in the user’s start up (viewable in MSConfig), registry, and as browser add ons in Internet Explorer.
• Vundo may attempt to prevent the user from removing it or otherwise impede its operation, such as by disabling the task manager, registry editor, and msconfig, thereby preventing the system from booting into safe mode.
• Some firewalls or antivirus software may also be disabled by the virus leaving the system even more vulnerable. Especially, it disables Norton AntiVirus and in turn uses it to spread the infection. Norton will show prompts to enable phishing filter, all by itself. Upon pressing OK, it will try to connect to real-av.org and try to download more malware.
• Popular anti-malware programs such as Spybot – Search & Destroy or Malwarebytes’ Anti-Malware may be deleted or immediately closed upon loading. Renaming the program executable can work around this.
• Web access may also be negatively affected. Vundo may cause many websites to be inaccessible.
• Google search links may be directed to rogue antispyware sites, which can be avoided by copy and pasting addresses
• Vundo may cause webpages to fail to load after sessions of browsing and present a blank page in the browser instead of the webpage.When this happens any programs may also fail to start and it may become impossible to use windows shutdown.
• The hard drive may start to be constantly accessed by the winlogon process, thus periodic freezes may be experienced.
• The virus can “eat” away at available hard drive space; hard drive space can fluctuate so much as +3 to -3 Gb of space, evident of Vundo’s attempt at “hiding” when being antagonized.
• Vundo can impede download progress.
• Windows Automatic Updates service may become disabled.

(There are more, but these are just the ones that I saw on this PC).  I’ve highlighted a couple of the particularly dastardly symptoms in red. In addition to the affect the virus had on this individual machine, without automatic updates and functioning antivirus and spyware scanning, a Windows PC is a sitting duck for botnets to completely control the machine and clog up the network the machine is on.

Tracking down what was happening was the hard part.  Using the instructions at BleepingComputer.com (great name) I was able to disinfect this computer using an app named MalwareBytes (scary name, sounds like malware itself).  After cleaning I reran antivirus and antispyware apps and everything came up clean.  The machine now runs faster and there are no more annoying poup ads or other symptoms, and its no longer vulnerable to nastier viruses that might steal or destroy information.

Tags: Virus