Jump to content

Vundo

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by 63.238.125.11 (talk) at 15:00, 24 October 2008 (Infection). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Vundo, or the Vundo Trojan (also known as Virtumonde or Virtumondo and sometimes referred to as MS Juan) is a Trojan horse that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google.

Infection

Vundo infects victims' computers by exploiting a vulnerability in Sun Java 1.5.0_7 (aka Version 5.0 release 7),[1] and earlier versions. Many of the popups advertise programs including (but not limited to) Sysprotect, Storage Protector, AntiSpyware Master, and WinFixer. There are two main components to the Virtumonde.dll file. They are Browser Helper Objects and Class ID. Each of which are in the Windows Registry under Local Machine and the file names are dynamic. It attaches to the system using bogus Browser Helper Objects and DLL files attached to Winlogon and Explorer.exe.

As the virus is resident in memory and attached to Explorer.Exe and Winlogon, they must be stopped before trying to remove the virus. Without Winlogon, there is no way to reboot the pc, so a forced reboot is needed, as when Winlogon re-starts, the virus files are recreated. Internet Explorer, older versions of Mozilla Firefox, and Opera are susceptible web browsers affected by this trojan, but Apple Safari, Mozilla Firefox 3+, and Flock seem to be unaffected by the Trojan's .dll file. The trojan's DLL files are named with eight random upper- and lower-case characters and stored in the Windows system32 directory. Many virus removal programs will remove some of the trojan-created hidden files but not the actual running DLL. The DLL cannot be removed by conventional means because the file is in use as soon as Winlogon starts. However, utilities (such as Zap and Dr. Delete) exist that will delete files that are in use. If some but not all of the trojan's files are removed, it will make a new DLL with a different random name.

Symptoms

The most obvious sign of infection are the pop ups. Vundo will cause the infected web browser to pop up advertisements; many of which claim a need for software to fix system "deterioration". The user's desktop background is changed to the image of an installation window saying there is adware on the computer. The screensaver is also changed to the Blue Screen. When the user tries to change the background and screensaver back to their original by going to the Display Properties, the background and screensaver tabs are missing because their "Hide" values in the Registry were changed to 1. Both the background and screensaver are in the System32 folder, however the screensaver cannot be deleted.

Infected DLLs (with randomized names such as "__c00369AB.dat") will be present in the Windows/System32 folder and references to the DLLs will be found in the user's start up (viewable in MSConfig), registry, and as browser add ons in Internet Explorer.

Depending on the version of the virus the following symptoms may or may not be present:

Vundo may attempt to prevent the user from removing it or otherwise impede its operation, such as by disabling the task manager or Windows registry editor. Another symptom of Vundo may be the desktop icons will disappear and so will the taskbar and reappear after a short period. This becomes very frustrating if you are trying to run programs as they get automatically aborted.

Web access may also be negatively affected. Vundo may cause many websites to be unaccessible; these websites may just hang. The hard drive may start to be constantly accessed by the winlogon process.

Symptoms may also include the disabling of Windows Automatic Updates or other web-based services.

Information

On infected systems, there is usually a listing for "MS Juan" inside of the registry. This is a part of where your browsers are being hijacked from disallowing you to navigate certain sites. There will be a listing of your search page listed which also calls upon a random windows dll file causing the search functions on that site to not work. Some known website navigation disablings are doing Google searches, accessing Hotmail, Gmail, or MySpace. The webpages usually just hang there. Any web page that contains JavaScript in susceptible browsers will not properly load.


References

  1. ^ Sun Microsystems Sun Alert Solution 200106 : Security Vulnerabilities in the Java Runtime Environment may Allow Untrusted Applets to Elevate Privileges and Execute Arbitrary Code
Retrieved from "https://en.wikipedia.org/w/index.php?title=Vundo&oldid=247392206"