Wenni Indriani's Blog

Vundo Trojan (Virtumonde, Vundo, Virtumondo, or MSJuan)

Posted on: November 3, 2010

The Vundo Trojan (commonly known as Vundo, Virtumonde or Virtumondo, and sometimes referred to as MS Juan) is a Trojan Horse that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degeradation and denial of service with some websites including Google and Facebook. This kind of Trojan starting appeared on August 20, 2004.

INFECTION

A Vundo infection is typically caused either by opening an e-mail attachment carrying the trojan, or through a variety of browser exploits, including vulnerabilities in popular browser plug-ins, such as Java. Many of the popups advertise fraudulent programs such as AntiSpywareMaster, WinFixer, AntiVirus2009.

There are two main components to Virtumonde.dll which are Browser Helper Objects and Class ID> Each of these components is in the Windows Registry under HKEY LOCAL MACHINE, and the file names are dynamic. It attaches to the system using bogus Browser Helper Objects and DLL files attached to winlogon.exe and explorer.exe and more recently lsass.exe.

Vundo inserts registry entries to suppress Windows warnings about the disabling of firewall, antivirus, and the Automatic Updates service, disables the Automatic Updates service and quickly re-disables it if manually re-enabled, and attacks Malwarebytes’ Anti-Malware, Spybot Search & Destroy, lavasoft Ad-Aware, hijackThis, and several other malware removal tools. It isalso not detectable (or else hides itself) from Vundofix & Combofix. Rather than pushing fake antivirus products, the new “ad” popups for the drive-by download attacks are copies of ads by major corporations, faked so that simply closing them allows the drive-by download exploit to insert the payload into the user’s computer. (Fortunately, this is hindered, if not prevented altogether by Vista’s User Account Control feature) Its filenames are categorized by having the “hidden” flag set and being .dll files with 8-character randomly arranged names alternating consonants and vowels.


SYMPTOMS

Since there are many different varieties of Vundo Trojans, symptoms of Vundo vary widely, ranging from the relatively benign to the severe. Almost all varieties of Vundo feature some sort of pop-up advertising as well as rooting themselves to make them difficult to delete.

Computers infected exhibit some or all of the following symptoms :

  1. Vundo will cause the infected web browser to pop up advertisements, many of which claim a need for software to fix system “deterioration”.
  2. The desktop background may be changed to the image of an installation window saying there is adware on the computer.
  3. The screensaver may be changed to the Blue Screen of Death.
  4. In the Display Properties Control Panel, the background and screensaver tabs are missing because their “Hide” values in the Registry were changed to 1.
  5. Both the background and screensaver are in the System32 folder, however the screensaver cannot be deleted.
  6. Windows Automatic Updates (and other web-based services) may also be disabled and it is not possible to turn them back on.
  7. Infected DLLs (with randomized names such as “__coo369AB.dat” and “slmnvnk.dll”) will be present in the Windows/System32 folder and references to the DLLs will be found in the user’s start up (viewable in MSConfig), registry, and as browser add ons in Internet Explorer.
  8. Vundo may attempt to prevent the user from removing it or otherwise impede its operation, such as by disabling the task manager, registry editor, and msconfig, thereby preventing the system from bootin ginto safe mode.
  9. Some firewalls or antivirus software may also be disabled by the virus leaving the system even more vulnerable. Especially, it disables Norton AntiVirus and in turn uses it to spread the infection. Norton will show prompts to enable phishing filter, all by itself. Upon pressing OK, it will try to connect to real-av.org and try to download more malware.
  10. Popular anti-malware programs such as Spybot – Search & Destroy or Malwarebytes’ Anti-Malware may be deleted or immediately closed upon loading. Renaming the program executable can work around this. Malwarebytes’ Anti-Malware’s executable may be deleted as soon as it is installed (depending on your infection). Installing the program on another computer and copying the executable into the infected computer’s Malwarebytes’ directory usually works too.
  11. Web access may also be negatively affected. Vundo may cause many websites to be inaccessible.
  12. Google search links may be directed to rogue antispyware sites, which can be avoided by copy and pasting addresses.
  13. Vundo may cause webpages to fail to load after sessions of browsing and present a blank page in the browser instead of the webpage. When this happens any programs may also fail to start and it may become impossible to use windows shutdown.
  14. The hard drive may start to be constantly accessed by the winlogon process, thus periodic freezes may be experienced.
  15. Warnings about SuperMWindow not shutting down.
  16. Explorer.exe may constantly crash resulting in an endless loop of crashing then restarting.
  17. Creates a virus critical driver in C:/Windows/system32/drivers/ (atiodgxx.sys).
  18. The virus can “eat” away at available hard drive space, hard drive space can fluctuate so much as +3 to -3 Gb of space, evident of Vundo’s attempt at “hiding’ when being antagonized.
  19. Vundo can impede download progress.
  20. Entering safe mode after attempting to use HijackThis results in a true blue screen of death, which cannot be recovered from without either restoring the deleted safe mode registry keys, or reinstall of Windows.
  21. Sometimes gives a “Run a DLL as an APP” error when some of the randomly named DLLs have been deleted.
  22. Will rewrite randomly named DLLs while any of them reside on machine.
  23. Changes \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and RunOnce entries to start itself when Windows starts.
  24. Installs adware that 25% of the time is pornographic.
  25. Installs adware and malware Desktop Defender 2010 and Security Center with voice wav file telling you your system is infected.
  26. Will cause the Network driver to be corrupt which even after going into regedit to delete the windock 1 and 2 and trying to reinstall the driver makes it virtually impossible.
  27. Deletes the network connection under My Network Places.


INFORMATION

The Vundo Virus was created on purpose, and sent out to wreak havoc among computers,  achieved and broad casted by 2 online users named “Hirishima” and “#[TTEH]Germany” You can find the root cause of Vundo via your computers system registry. On infected systems, there is usually a listing for “MSJuan” inside of the registry. This registry key causes a browser hijack, disallowing navigation to certain sites. There will be an entry listing the search page, which also calls upon a random windows dll file, causing the search functions on that site to fail. Google searches are disabled, as is access to Hotmail, Gmail, MySpace, and Facebook, whose pages usually become unresponsive.

Often infects files on peer sharing and bittorrent sites, or shared connections on an unsecured network.

Another Information

One of the gratly irritating matters things pertaining to computers for tons of individuals are the dilemma that occur aftar pcs don’t operate precisely. If it’s your pc processing slowly, software that you own are slow to activate or don’t activate ever, or a 100% failure of your computer it is hard to handle and frustrating. One of the most copious causes of these dilemmas is the Vundo Trojan Horse, Which is very prevalent computer threat to web consumers at any time.

The Vundo trojan horse can be a delicate kind of virus to descover, as it can conceal itself inside what seems to be useful files or computer software. Once the trojan horse is executed on your pc, it should begin to work on this cours to devastating your pc.

The biggest and most primary method that the Vundo.trojan expands is through email, and scanners are getting smareter. The developers of these viruses will consistently have regular looking email address that a lot of people do not think twice when opening. But the emails contain attatched folders that contain trojan viruses like Vundo.


OPINI :

Dari yang dipaparkan di atas, dapat dilihat bahwa ternyata selama ini, yang menyebabkan hal-hal aneh yang muncul, dan pengecekan antivirus yang selalu mengarah pada system32 dilakukan oleh satu tipe Trojan yaitu Vundo atau dapat disebut dengan Virtumondo. Tindakan yang tepat dapat dilakukan dengan berhati-hati terhadap attachment asing yang dilampirkan pada sebuah email, atau bisa saja melalui jaringan komputer sang penyebar vundo ini menyisipkan jenis trojan ini ke dalam attachment yang kita kirimkan atau kita terima melalui email. Menurut penjelasan tersebut, trojan tersebut menginfeksi komputer kita dengan melalui attachment tersebut.

SUMBER :

http://en.wikipedia.org/wiki/Timeline_of_computer_viruses_and_worms

http://en.wikipedia.org/wiki/Vundo

http://www.trojanremovalguide.com/trojan-horse/trojan-horse-vundo/

1 Response to "Vundo Trojan (Virtumonde, Vundo, Virtumondo, or MSJuan)"

wah, kalau begini ceritanya, musti hati-hati dengan email, baik yang spam maupun yg bukan.
antivirus yang disediakan oleh mail server juga tidak bisa selamanya bisa dipercaya untuk menyeleksi attachement yang dimasukkan ==”’

Leave a comment


  • None
  • dydee8: setuju sama aneta..antivirus aja belum tentu mempan buat nge-remove virus..yang paling aman emg ga usah connect ke internet hahaha tapi tetep aj jaman
  • Aneta: wah, kalau begini ceritanya, musti hati-hati dengan email, baik yang spam maupun yg bukan. antivirus yang disediakan oleh mail server juga tidak bisa
  • Aneta: hmmm banyak sekali ternyata ancaman yang bisa membahayakan user internet. bahkan sekedar antivirus saja pun tidak cukup meyakinkan untuk mengamankan

Categories