418:
may be deleted or immediately closed upon loading. Renaming the program executable can work around this. Malwarebytes's executable may be deleted as soon as it is installed (depending on the system's infection). Installing the program on another computer and copying the executable into the infected
357:
Since there are many different varieties of Vundo trojans, symptoms of Vundo vary widely, ranging from the relatively benign to the severe. Almost all varieties of Vundo feature some sort of pop-up advertising as well as rooting themselves to make them difficult to delete.
391:
Infected DLLs or DAT files (with randomized names such as "__c00369AB.dat" and "slmnvnk.dll") will be present in the
Windows/System32 folder and references to the DLLs will be found in the user's start up (viewable in MSConfig), registry, and as browser add-ons in
432:
MS Juan may cause webpages to fail to load after sessions of browsing and present a blank page in the browser instead of the webpage. When this happens any programs may also fail to start and it may become impossible to use windows
399:
Vundo may attempt to prevent the user from removing it or otherwise impede its operation, such as by disabling the task manager, registry editor, and msconfig, thereby preventing the system from booting into safe
407:
and in turn uses it to spread the infection. Norton will show prompts to enable phishing filter, all by itself. Upon pressing OK, it will try to connect to real-av.org and download more malware.
451:
The virus can "eat" away at available hard drive space; hard drive space can fluctuate as much as +3 to -3 Gb of space, evident of Vundo's attempt at "hiding" when being antagonized.
461:
results in a true Blue Screen of Death, which cannot be recovered from without either restoring the deleted safe mode registry keys, or a reinstalled version of
Windows.
349:
attacks are copies of ads by major corporations, faked so that simply closing them allows the drive-by download exploit to insert the payload into the user's computer.
526:
382:
In the
Display Properties Control Panel, the background and screensaver tabs are missing because their "Hide" values in the Registry were changed to 1.
470:
The virus changes \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and RunOnce entries to start itself when
Windows starts.
365:
Vundo will cause the infected web browser to pop up advertisements, many of which claim a need for software to fix system "deterioration".
403:
Some firewalls or antivirus software may also be disabled by Vundo leaving the system even more vulnerable. Especially, it disables
411:
592:
602:
388:
Windows
Automatic Updates (and other web-based services) may also be disabled and it is not possible to turn them back on.
318:
254:
A Vundo infection is typically caused either by opening an e-mail attachment carrying the trojan, or through a variety of
436:
The hard drive may start to be constantly accessed by the winlogon.exe process, thus periodic freezes may be experienced.
259:
597:
322:
538:
480:
such as
Desktop Defender 2010 and Security Center with a .wav file telling the user that their system is infected.
313:
Vundo inserts registry entries to suppress
Windows warnings about the disabling of firewall, antivirus, and the
464:
The virus sometimes gives a "Run a DLL as an APP" error when some of the randomly named DLLs have been deleted.
317:
service, disables the
Automatic Updates service and quickly re-disables it if manually re-enabled, and attacks
211:
174:
577:
477:
426:
415:
582:
385:
Both the background and screensaver are in the System32 folder, however the screensaver cannot be deleted.
291:
279:
263:
376:
295:
487:(regedit.exe) to delete Winsock 1 and 2 and trying to reinstall the driver is virtually impossible.
342:
287:
439:
Display pop-ups and also is additionally efficient in injecting promotions into search results.
587:
393:
346:
338:
334:
326:
227:
84:
422:
Web access may also be negatively affected. Vundo may cause many websites to be inaccessible.
368:
The desktop background may be changed to the image of an installation window saying there is
404:
303:
283:
445:
Explorer.exe may constantly crash resulting in an endless loop of crashing then restarting.
484:
255:
97:
238:. It also is used to deliver other malware to its host computers. Later versions include
534:
314:
223:
48:
571:
508:
215:
170:
299:
226:
programs, and sporadically other misbehavior including performance degradation and
219:
483:
The virus will cause the network driver to be corrupt which even after going into
55:
467:
The virus will rewrite randomly named DLLs while any of them reside on machine.
458:
448:
Creates a virus critical driver in C:\Windows\system32\drivers (ati0dgxx.sys).
330:
243:
307:
38:
333:, and several other malware removal tools. It frequently hides itself from
267:
235:
290:, and the file names are dynamic. It attaches to the system using bogus
239:
159:
107:
369:
231:
361:
Computers infected exhibit some or all of the following symptoms:
65:
490:
The virus deletes the network connection under My
Network Places.
258:, including vulnerabilities in popular browser plug-ins, such as
559:
262:. Many of the popups advertise fraudulent programs such as
429:
sites, which can be avoided by copy and pasting addresses.
473:
The virus installs adware that is sometimes pornographic.
442:
Warnings about SuperMWindow not shutting down may occur.
341:. Rather than pushing fake antivirus products, the new "
419:
180:
165:
155:
137:
26:
21:
282:and Class ID. Each of these components is in the
8:
525:Bell, Henry; Chien, Eric (March 17, 2010).
457:Entering safe mode after attempting to use
520:
518:
509:"FireEye Event Description: Trojan.Vundo"
425:Search engine links may be redirected to
500:
410:Popular anti-malware programs such as
375:The screensaver may be changed to the
77:Trojan-Downloader.Win32.Vundo (Ikarus)
18:
7:
454:Vundo can impede download progress.
44:Trojan:Win32/Vundo.gen! (Microsoft)
14:
278:consists of two main components,
80:Win-Trojan/Vundo.63488.M (AhnLab)
61:Gen:Variant.Vundo. (BitDefender)
206:, and sometimes referred to as
1:
412:Spybot – Search & Destroy
230:with some websites including
113:Trojan.Win32.Monder (FireEye)
119:Trojan:Win32/Vundo (FireEye)
560:SuperMWindow - A New Vundo.
323:Spybot Search & Destroy
129:Adware.VirtuMonde (FireEye)
71:TR/Dldr.Vundo.J.379 (Avira)
619:
531:Symantec Security Response
319:Malwarebytes' Anti-Malware
103:Trojan:Win32/Vundo. (CA)
593:Rogue security software
478:rogue security software
427:rogue security software
218:that is known to cause
292:Browser Helper Objects
280:Browser Helper Objects
270:, and AntiVirus 2009.
96:Win32/Vundo!generic (
37:Trojan:Win32/Vundo. (
603:Hacking in the 2000s
541:on December 13, 2006
377:Blue Screen of Death
222:and advertising for
476:The virus installs
306:and more recently,
194:(commonly known as
116:Vundo.gen (FireEye)
93:W32/Vundo. (Norman)
74:TR/Vundo..2 (Avira)
288:HKEY LOCAL MACHINE
125:Virtumonde Variant
106:Suspicious.Vundo (
90:Vundo.gen (Norman)
64:TR/Drop.Vundo.J. (
598:2004 in computing
394:Internet Explorer
347:drive by download
345:" popups for the
327:Lavasoft Ad-Aware
315:Automatic Updates
264:AntiSpywareMaster
228:denial of service
224:rogue antispyware
188:
187:
610:
562:
557:
551:
550:
548:
546:
537:. Archived from
522:
513:
512:
505:
405:Norton AntiVirus
372:on the computer.
284:Windows Registry
277:
256:browser exploits
19:
618:
617:
613:
612:
611:
609:
608:
607:
568:
567:
566:
565:
558:
554:
544:
542:
524:
523:
516:
507:
506:
502:
497:
485:Registry Editor
355:
273:
252:
83:W32/Vundo.dam (
54:Trojan.Vundo. (
47:Trojan.Vundo. (
17:
12:
11:
5:
616:
614:
606:
605:
600:
595:
590:
585:
580:
578:Computer worms
570:
569:
564:
563:
552:
527:"Trojan.Vundo"
514:
499:
498:
496:
493:
492:
491:
488:
481:
474:
471:
468:
465:
462:
455:
452:
449:
446:
443:
440:
437:
434:
430:
423:
420:
408:
401:
397:
389:
386:
383:
380:
373:
366:
354:
351:
275:Virtumonde.dll
251:
248:
210:) is either a
186:
185:
182:
178:
177:
167:
163:
162:
157:
153:
152:
151:
150:
149:Microsoft Juan
147:
144:
139:
135:
134:
133:
132:
131:
130:
122:
121:
120:
117:
114:
111:
104:
101:
94:
91:
88:
81:
78:
75:
72:
69:
62:
59:
52:
45:
42:
28:
27:Technical name
24:
23:
15:
13:
10:
9:
6:
4:
3:
2:
615:
604:
601:
599:
596:
594:
591:
589:
586:
584:
583:Trojan horses
581:
579:
576:
575:
573:
561:
556:
553:
540:
536:
532:
528:
521:
519:
515:
510:
504:
501:
494:
489:
486:
482:
479:
475:
472:
469:
466:
463:
460:
456:
453:
450:
447:
444:
441:
438:
435:
431:
428:
424:
421:
417:
413:
409:
406:
402:
398:
395:
390:
387:
384:
381:
378:
374:
371:
367:
364:
363:
362:
359:
352:
350:
348:
344:
340:
336:
332:
328:
324:
320:
316:
311:
309:
305:
301:
297:
293:
289:
285:
281:
276:
271:
269:
265:
261:
257:
249:
247:
245:
241:
237:
233:
229:
225:
221:
217:
216:computer worm
213:
209:
205:
201:
197:
193:
183:
179:
176:
172:
171:computer worm
168:
164:
161:
158:
154:
148:
145:
142:
141:
140:
136:
128:
127:
126:
123:
118:
115:
112:
109:
105:
102:
99:
95:
92:
89:
86:
82:
79:
76:
73:
70:
67:
63:
60:
57:
53:
50:
46:
43:
40:
36:
35:
34:
33:Vundo Variant
31:
30:
29:
25:
20:
555:
543:. Retrieved
539:the original
530:
503:
416:Malwarebytes
360:
356:
312:
304:explorer.exe
300:winlogon.exe
298:attached to
274:
272:
253:
212:Trojan horse
207:
203:
199:
195:
192:Vundo Trojan
191:
189:
175:trojan horse
124:
32:
56:Bitdefender
572:Categories
495:References
459:HijackThis
331:HijackThis
244:ransomware
204:Virtumondo
200:Virtumonde
146:Virtumondo
143:Virtumonde
545:March 14,
433:shutdown.
308:lsass.exe
296:DLL files
250:Infection
39:Microsoft
588:Rootkits
535:Symantec
353:Symptoms
339:Combofix
335:Vundofix
268:WinFixer
240:rootkits
236:Facebook
49:Symantec
208:MS Juan
169:Either
166:Subtype
160:Malware
108:FireEye
16:Malware
370:adware
286:under
232:Google
220:popups
181:Family
85:Norman
400:mode.
214:or a
196:Vundo
184:Vundo
138:Alias
66:Avira
22:Vundo
547:2012
337:and
294:and
260:Java
242:and
234:and
190:The
156:Type
414:or
202:or
173:or
574::
533:.
529:.
517:^
343:ad
329:,
325:,
321:,
310:.
302:,
266:,
246:.
198:,
98:CA
549:.
511:.
396:.
379:.
110:)
100:)
87:)
68:)
58:)
51:)
41:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.