Virtumonde, would someone please shoot these guys? in Security

Virtumonde, would someone please shoot these guys? in Security http://www.dslreports.com/forum/r19702820 en Wed, 10 Feb 2010 04:31:06 EDT Wed, 10 Feb 2010 04:31:06 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19902561 RonnieO : Ok Grrrrrrrr I got it (well my daughter got it for me) how can I get rid of this POS. ]]> http://www.dslreports.com/forum/remark,19902561 Wed, 30 Jan 2008 12:08:40 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19758977 zteardrop :

said by steve 123 :

supz all. i recently got back from christmas and i downloaded a few movies with mininova.org soon after i went to check progress of dls found this wierd crap on ma comp all icons were highlighted and little red x in taskbar. having been infected by this retarded thing b4 i ran adaware found was virtomonde again so ran vundofix as already had it. says it found it removerd it rebooted was still on comp. i was looking in the regisrty there was a gebcb,dll or something that i cannot get rid of. looking on internet all the forums i guess new version of this bullshit is out thre. ive tried prob 9 diff spyware removal programs none work. how the fuck do i get rid of this thing have 4 comps all together this the only one thats infected thank god. help plz

What security product were you running when you got infected ?]]> http://www.dslreports.com/forum/remark,19758977 Tue, 08 Jan 2008 00:07:19 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19753546 darthboy : Some pirated movies require a license to play. Meaning: they're protected by DRM. (note the irony)

The Windows Media Player will popup a screen when phoning home to retrieve a license. You'll see porn ads in this screen, and there may be many popups to websites that contain malicious code aka drive-by attack.]]> http://www.dslreports.com/forum/remark,19753546 Mon, 07 Jan 2008 06:57:34 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19718420 fatdcuk :

said by CalamityJane

:

Do you know how you got it (or rather the machine on which you found it?) Most cases I have seen are a result of downloading pirated software and/or P2P networks downloaded files.

Keygen downloads from some wellknown offending sites-(Crack.exe+install.exe+serial.exe+keygen.exe)= around187kb

Install.exe is Virut and keygen.exe is the Vundo dropper;)

(keygen.exe+patch.exe+serial.exe)= around 187kb again

Again Keygen.exe is the Vundo dropper.

LMK if you don't recognize the file series and i will collect together a list of offending urls for you:)]]> http://www.dslreports.com/forum/remark,19718420 Tue, 01 Jan 2008 11:43:13 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19715767 ghost16825 :

said by NyQuil Kid

:

There is no "one size fits all" solution - some infections are worth the time to clean, others aren't - any position to the contrary merely reflects a degree of laziness or an inability to effectively deal with this problem.

Today, a flatten and rebuild should be the preferred course of action and any kind of malware 'clean' an exception rather than a rule. Things have changed - now there is usually not enough certainty that a compromised box, after a 'clean' is still fully under your control.]]> http://www.dslreports.com/forum/remark,19715767 Mon, 31 Dec 2007 19:19:38 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19715409 Doctor Four : This ought to include Innovative Marketing, the lowlifes
behind all the WinFixer variants, many of which often get
distributed with Vundo.

Incidentally, Virtumundo.com, a website known in the past
for spamming (they still do), is noted in the MVPS hosts
file as being associated with Virtumonde - the comment next
to that entry reads Panda.Virtumonde.C. Yet neither McAfee
Siteadvisor nor Google flags the site as being potentially
harmful - the former even gives it a green rating.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
]]> http://www.dslreports.com/forum/remark,19715409 Mon, 31 Dec 2007 18:19:40 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19715103 mysec : I would never depend on the browser as a tool of last resort against the zero-day (so-called) exploit.

Some solutions:

1) A Sandbox-type application will contain/remove the exploit

2) Configuring Software Restriction Policies

3) Less complex would be to set up the user with a Limited User account

4) Also simple: application with protection against the downloading/installing/running of non-White Listed executables

In the above cases, any remote code executed malware that gets past the browser is prevented from doing any damage.

These have been tested by myself and others at known malware sites -- in some cases, with unpatched IE browser to permit the exploit to attempt to run the payload.

----
rich]]> http://www.dslreports.com/forum/remark,19715103 Mon, 31 Dec 2007 17:31:36 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19714961 garys_2k :

said by mysec

:

This is the easiest attack to prevent via numerous solutions; that's why I said there is no reason for it to happen.

----
rich

Until, of course, the next zero-day drive-by exploit is delivered AND the browser(s) is patched. That could be weeks.]]> http://www.dslreports.com/forum/remark,19714961 Mon, 31 Dec 2007 17:01:05 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19714452 NyQuil Kid : By your reaction, the following is pretty clear:

a) I'm right
b) I'm funny
c) You were dropped as a baby, or were born near power lines

Thank you for proving my point.

[8F] The NyQuil Kid
--
[8F] The NyQuil Kid comes into town not looking for trouble... n00bz gang up, but he ain't seein' double,... pulls and draws, his deagles two... n00bz litter the ground you know it's true.]]> http://www.dslreports.com/forum/remark,19714452 Mon, 31 Dec 2007 15:32:22 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19714270 qrkx :

said by NyQuil Kid

Ok. Fair enough.

I thought there was a very simple "one size fits all" solution to a compromised host. Once again - I was terribly wrong. The old school is dead!

rgds]]> http://www.dslreports.com/forum/remark,19714270 Mon, 31 Dec 2007 15:01:47 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19714242 NyQuil Kid : Because it can be almost as time consuming to back up data, wipe the drive, reinstall ALL your applications, then copy your data back and tweak all your settings. Computer savvy people may not mind doing that, but the average Joe (which is usually the main victim/target of such infections) with thousands of family pics, files etc isn't in a position to do the aforementioned procedure every time they get an infection.

There is no "one size fits all" solution - some infections are worth the time to clean, others aren't - any position to the contrary merely reflects a degree of laziness or an inability to effectively deal with this problem.

[8F] The NyQuil Kid
--
[8F] The NyQuil Kid comes into town not looking for trouble... n00bz gang up, but he ain't seein' double,... pulls and draws, his deagles two... n00bz litter the ground you know it's true.]]> http://www.dslreports.com/forum/remark,19714242 Mon, 31 Dec 2007 14:57:43 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19714172 qrkx :

said by trparky

:

Would someone please shoot these guys? They need to be shot at dawn!

Don't shoot just yet!

These "guys" are doing us a great favour. I love malware that is so noisy you don't have to make any effort to identify its presence. Once the aforementioned accomplished - wipe zee box und start all over - until lesson learned. Rinse and repeat.

Why would you even try to "clean" a compromised host is the question at hand...

rgds]]> http://www.dslreports.com/forum/remark,19714172 Mon, 31 Dec 2007 14:47:18 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19713886 mysec :

said by TheRul

said by mysec

:

No reason for that to happen, ever.

----
rich

Tell me that was sarcasm.

It was not meant to be.

said by TheRul

:

You have dealt with end users at one time in your life, right?

I have and still do. My comment was about getting malware through remote code execution, aka, drive-by downloads.

This is the easiest attack to prevent via numerous solutions; that's why I said there is no reason for it to happen.

----
rich]]> http://www.dslreports.com/forum/remark,19713886 Mon, 31 Dec 2007 13:57:13 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19713704 TheRul :

said by mysec

:

No reason for that to happen, ever.

----
rich

Tell me that was sarcasm. You have dealt with end users at one time in your life, right?]]> http://www.dslreports.com/forum/remark,19713704 Mon, 31 Dec 2007 13:26:42 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19713584 NyQuil Kid : You forgot to mention how the AV companies, in conjunction with the Mafia and Cuba, shot JFK, faked the moon landing, and caused 9-11....

By the way, were you born near power lines or perhaps dropped as a baby by your parents....

[8F] The NyQuil Kid
--
[8F] The NyQuil Kid comes into town not looking for trouble... n00bz gang up, but he ain't seein' double,... pulls and draws, his deagles two... n00bz litter the ground you know it's true.]]> http://www.dslreports.com/forum/remark,19713584 Mon, 31 Dec 2007 13:02:10 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19713285 major marco :

said by trparky

:

No time in history have I ever wanted to say that a group of people needs to be put in front of a firing squad and shot at dawn, but this has got to be it.

Would someone please get the people who wrote this nasty thing and shoot them at dawn?

You'd be decimating an entire industry if the virii writers were executed! Besides, who do you think these folks work for? That's right, say it with me: The AV companies. McAfee, Norton, et al.
--
The Toll

Let's Go Flyers!
]]> http://www.dslreports.com/forum/remark,19713285 Mon, 31 Dec 2007 12:09:59 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19713256 mysec :

said by TheRul

:

My guess is that it was not only movies that he dl's. He just found it while dl'ing the movies.

If so, a malicious executable file downloaded by remote code execution.

No reason for that to happen, ever.

----
rich]]> http://www.dslreports.com/forum/remark,19713256 Mon, 31 Dec 2007 12:05:18 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19713224 Woody79_00 : Yes i have ran into this nasty and let me tell you, it is definitely no picnic to remove. Since im computer savy enough to handle editing the registry manually and such, i have been able to get rid of them...although it takes a long time

I have seen a few of these nasties hidden with a rootkit...really sucks let me tell ya..need something like Icesword or something similar to sniff that thing out 1st...since what is hidden keeps re spawning the infection.

Believe it or not...Windows Defender from Microsoft is pretty darn effective against Vundo in my expereince..it seems it fares better against it than any of the other apps ie SuperAntiSpyware, webroot, etc...Microsoft gets a 1up on everyone because they find out about new nasties before anyone else it seems...probably because of tech support calls and other methods.

As crazy as it sounds, I know Windows Defender is able to delete and clean files other apps can;t..Microsoft probably has a reserved set of api's for it or something who knows, but i have found Windows Defender can delete files in use that apps like Webroot, SuperAntiSpyware and others can't

Other than Windows Defender, The app i recommend using to fight this nasty Trojan is none other than A2...its a dedicated Anti-Trojan..well over a million pieces of malware in its database..chances are these Vundo infections are known about it its database

If you are infected, Update a2 boot into safe mode and run a deep scan...more than likely a2 will be able to wipe it out most of the time...i'd say 9/10 times...the other 1 time...Windows Defender...i know it sounds nuts, But Windows Defender scans work quite well against Vundo for some reason....it sounds crazy, but it does

Good luck to all in fighting this nasty thing...i absolutly cringe everytime i see a comp infected with this darn thing.

Please note i have cleaned Vundo off of pc's that it completly "crippled" apps like McAfee and Norton, real protection disabled and not able to be turned back on..also these Vundo's have crippled their firewall as well.

That why i "never" ever execute unsafe files from sources im not sure of..jotti and virus total to check them out, search for forums, ask opinions, etc..make informed decisions before executing any file.

my rule of thumb..treated "every"web site and file like a criminal until it is proven it is trust worthy]]> http://www.dslreports.com/forum/remark,19713224 Mon, 31 Dec 2007 11:59:31 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19713174 TheRul : My guess is that it was not only movies that he dl's. He just found it while dl'ing the movies.]]> http://www.dslreports.com/forum/remark,19713174 Mon, 31 Dec 2007 11:49:13 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19713002 mysec :

said by steve 123 :

i downloaded a few movies with mininova.org soon after i went to check progress of dls found this wierd crap on ma comp ... i ran adaware found was virtomonde again...

How does this virus get installed as a movie is being downloaded?

----
rich]]> http://www.dslreports.com/forum/remark,19713002 Mon, 31 Dec 2007 11:13:56 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19712508 wxboss : A trek to the Security Cleanup forums is in order. »Security Cleanup

This sucker is pretty nasty, and you'll need their expertise to get rid of it.]]> http://www.dslreports.com/forum/remark,19712508 Mon, 31 Dec 2007 09:17:41 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19712485 anon : supz all. i recently got back from christmas and i downloaded a few movies with mininova.org soon after i went to check progress of dls found this wierd crap on ma comp all icons were highlighted and little red x in taskbar. having been infected by this retarded thing b4 i ran adaware found was virtomonde again so ran vundofix as already had it. says it found it removerd it rebooted was still on comp. i was looking in the regisrty there was a gebcb,dll or something that i cannot get rid of. looking on internet all the forums i guess new version of this bullshit is out thre. ive tried prob 9 diff spyware removal programs none work. how the fuck do i get rid of this thing have 4 comps all together this the only one thats infected thank god. help plz]]> http://www.dslreports.com/forum/remark,19712485 Mon, 31 Dec 2007 09:12:03 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19707559 trparky :

said by mysec

:

Meanwhile -- There is really no reason for anyone to be a victim of Virtumonde/Winfixer or anything similar. We can help by informing those users/clients we work with.

I tell people that most ads (95%) that you see on the Internet for antivirus or antispyware software is bad and that they shouldn't listen to them.

A legitimate antivirus or antispyware company wouldn't advertise in that way.
--
Tom]]> http://www.dslreports.com/forum/remark,19707559 Sun, 30 Dec 2007 09:33:25 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19706088 mysec :

said by trparky

:

Apparently there is a new variant of this crap that uses a different way to infect startup applications, namely the "trillain .exe" thing.

There are at least three methods of installation that we can make users aware of.

The first two, Calamity Jane has mentioned. If a user was compromised in those ways, well, what can one say? You have to know your sources.

Another way is being tricked by remote code execution, aka Drive-by Download.

Prior to Winfixer/Virtumonde, numerous exploits abounded preying on users being tricked by pop-up ads, or banner ads.

etrust spyware described one:

quote:
The ad appears to be an application interface, when in fact it is a popup ad in which the entire gif file is a hyperlink. Whether intentionally or unintentionally, clicking on the popup ad leads to the forced install of BundleAJ_W1.exe, which includes MySearch Toolbar and Registry Cleaner, an adware application that claims to find errors in the system's registry.

This is the code:

said by badmondo :

People need to know that their "trusted" real-time antivirus antispyware will not protect them against this,

Since the forced install is an executable -- as trparky notes the presence of "trillian.exe" -- then solutions are obvious. If XP, running as Limited User, or with SRP stops this method in its tracks. I understand Vista has something similar.

A third party execution prevention application also stops this, as my screenshot shows using the example described by etrust.

said by trparky

:

Would someone please get the people who wrote this nasty thing and shoot them at dawn?

Someone else would just take their place!

Meanwhile -- There is really no reason for anyone to be a victim of Virtumonde/Winfixer or anything similar. We can help by informing those users/clients we work with.

----
rich

Blocking BundleAJ_V1.exe

]]> http://www.dslreports.com/forum/remark,19706088 Sat, 29 Dec 2007 22:51:12 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19706051 Anonymous : All they have to do is follow the money. Someone is paying these guys to show their ads.]]> http://www.dslreports.com/forum/remark,19706051 Sat, 29 Dec 2007 22:42:52 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19705305 trparky :

said by CalamityJane

:

Do you know how you got it (or rather the machine on which you found it?) Most cases I have seen are a result of downloading pirated software and/or P2P networks downloaded files.

I've never got it myself but I've had to, on more than a couple of occasions, remove it from computers that I've worked on.

This thing is a royal PITA to remove.

Apparently there is a new variant of this crap that uses a different way to infect startup applications, namely the "trillain .exe" thing.

I have an idea about how it's loading into the system, specifically the AppInit section of the registry. This isn't the first time that viruses have done this, this is nothing new. I've seen it before. That's how it loads the DLLs into the thread space of various programs.

I'd like to get a sample of this nasty in a ZIP file just to see what AV/AS software packages find it.
--
Tom]]> http://www.dslreports.com/forum/remark,19705305 Sat, 29 Dec 2007 20:11:15 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19704095 ftthz : well... the difference between a rootkit and virtumonde is that a rootkit will try to run undetected so the user does not suspect they are infected while virtumonde will blast ads and popups to you.]]> http://www.dslreports.com/forum/remark,19704095 Sat, 29 Dec 2007 15:33:39 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19703546 anon : I agree. It seems most anitvirus/antispyware fail miserably anainst virtumonde, especially the new variants. I am not sure why this does not get more attention, as a large percentage of infections is due to this. We worry about rootkits but virtumonde infections are causing the majority of borked computers compared to other types of malicous stuff. If I am wrong on this let me know. It is a dirty little secret the vendors of antivirus/antispyware sofware do not want the home user to know.

It would be good/interesting to know which antivirus and anitspyware apps are best at 1)preventing 2)identifying and 3)removing known variants especially the new ones. This will show how miserably they all fail to protect your pc. This might shame a few of the vendors into action.

People need to know that their "trusted" real-time antivirus antispyware will not protect them against this, and that once you get it removal will be a pain. This has helped create specialized malware removal forums on the web.

The true seriousness of this threat needs to be addressed.]]> http://www.dslreports.com/forum/remark,19703546 Sat, 29 Dec 2007 13:15:27 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19703074 CalamityJane : Yep, it's a new variant of Vundo that infects startup programs and other files and it is a bear to remove for sure.

Do you know how you got it (or rather the machine on which you found it?) Most cases I have seen are a result of downloading pirated software and/or P2P networks downloaded files.

We've been dealing with this for about a month now and it's getting really worse. Here is one of the first writeups on it by our member here Schouw

. This was the first nasty variant of this file infector - it is now using the method of creating those files you see with spaces in the name rather than in the temp folder.

From Kaspersky researcher Roel Schouwenberg aka Schouw:
»blogger.xs4all.nl/klab/archive/2···779.aspx

quote:
Virtumonde/Vundo goes file infector

Last night I was having a look at the latest developments coming from the
Virtumonde authors.
The latest trick is using file infection to make removal even more
difficult. Coming from one of the most notoriously tricky to remove malware
I was expecting quite the handful.

Like some other malware this version of Virtumonde enumerates which files
are being run at Windows startup. It will check the files and if deemed OK
for infection it will start the infection routine.

What Virtumonde is basically doing is creating a Trojan-Dropper. It will
drop the original host file into %temp% and start the file from there. Next
to that it will drop the Virtumonde component into the system directory.

The dropped DLL in the system directory will do its Virtumonde-like thing as
well as look for files to infect(from startup). So, this is not a patcher.
This is a virus.

About 4KB of dropper code is prepended in front of the host file. The
Virtumonde DLL gets appended to the host file. The DLL is about 32KB large,
but the exact size of appended code may vary. It also makes use of an
infection marker in the resource section to make sure it does not reinfect
the same file time and time again.

The original host file sits unaltered inside the newly created exe which
makes disinfection quite easy.
Something tells me that their next attempt is going to be more tricky to
handle.

--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2008
Proud Member of ASAP (Alliance of Security Analysis Professionals)]]> http://www.dslreports.com/forum/remark,19703074 Sat, 29 Dec 2007 11:30:50 EDT Re: Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19702939 Cudni : and you can see the nasty being battled and the amount of effort required to defeat it
»Security Cleanup

Cudni]]> http://www.dslreports.com/forum/remark,19702939 Sat, 29 Dec 2007 10:59:06 EDT Virtumonde, would someone please shoot these guys? http://www.dslreports.com/forum/remark,19702820 trparky : No time in history have I ever wanted to say that a group of people needs to be put in front of a firing squad and shot at dawn, but this has got to be it.

Would someone please get the people who wrote this nasty thing and shoot them at dawn?

I'll be the first to admit that I've done removals of viruses and other kinds of malware quite easily but this has got to be the worst, most insidious piece of malware yet.

If you don't know the extent of how far this thing goes, I'll explain.

If you have a machine that's infected with Virtumonde and you have the proper tools to see the infection in action, you'll notice several different rogue threads in processes such as SVCHOST.EXE, winlogon.exe, Explorer.exe, and other various system processes. Yep, this insures that if you delete the files in question, they get put right back on the machine after you reboot. I don't know right now if the thing re-infects the machine in real-time, if it does... then it's worse than I thought since now you can't even do the removal in normal Windows.

Oh, and don't get me started on the fact that this thing actively creates what are called "wrapper" executables in which say you have a program called Trillian, meaning trillian.exe. If you have a machine infected with Virtumonde, it renames the main trillian.exe to "trillian .exe" (take note of the space in the file name) and creates a new file of the same name which is nothing more than a execution wrapper file that gets loaded, re-infects the machine, and executes trillian.exe.

Yep, that's right... you could get the whole machine clean but if you don't get every single of one these wrapper executables you'll have a re-infected machine on your hands in a heartbeat.

Would someone please shoot these guys? They need to be shot at dawn!
--
Tom]]> http://www.dslreports.com/forum/remark,19702820 Sat, 29 Dec 2007 10:33:42 EDT