BitDefender Antivirus
Contact Us | My BitDefender

Adware.Virtumonde.GFA

( Virtumonde , Vundo )
Spreading: high
Damage: medium
Size: 30k - 600k
Discovered: 2007 Jun 25

SYMPTOMS:

Increase of network activity. Some popups window will appear in Internet Explorer.

TECHNICAL DESCRIPTION:

Adware.Virtumonde has two components :
A) a dropper component that writes a dll file in %system32% folder an then loads it and run a function that this exports (the function that installs Virtumonde has different names -> the most usually are InstallHook, SetVM, Setup, setplugin, setvm.

B) a dll file , that does the following :
- it copies itself in the %system32% directory with a random name , and creates a subkey with the same random name in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify. This key , allows the dll file to be loaded in Winlogon.exe (this protects the file from beeing deleted).
- some version will create a file with a name written in reverse order of the original file in the same directory (if the original file name will be abcdef.dll , the file that will be created will be fedcba.ini )

- different versions will create one following keys :
1) in HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects either with the same name or names like MSEvents Object , PsapiAnalyzer , AtlDistrib etc. This key enables Virtumonde to be loaded when internet explorer starts.
2) the same pattern si used for this key (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks) .
 

It has several protection methods , that ensure that the dll file will not be deleted.
a) the module that it`s loaded in winlogon.exe will test periodically if the keys that virtumonde creates are deleted (if so , it creates them again).
b) it checks for the PendingFileRenameOperations key , to test if the dll is to be deleted when windows starts (if so , the dll name will be deleted from that key )
c) it searches for the same thing in wininit.ini

It display advertising , usualy using internet explorer to load a web page.

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Dragos Gavrilut, virus researcher
©   2009 BITDEFENDER SiteMap | Legal Terms | Site Feedback | Global Sites | Privacy Policy