Home / malwarePDF  

Adware.Virtumonde.GFA


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Adware.Virtumonde.GFA is also known as Virtumonde, Vundo.

Explanation :

Adware.Virtumonde has two components :
A) a dropper component that writes a dll file in %system32% folder an then loads it and run a function that this exports (the function that installs Virtumonde has different names -> the most usually are InstallHook, SetVM, Setup, setplugin, setvm.

B) a dll file , that does the following :
- it copies itself in the %system32% directory with a random name , and creates a subkey with the same random name in HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify. This key , allows the dll file to be loaded in Winlogon.exe (this protects the file from beeing deleted).
- some version will create a file with a name written in reverse order of the original file in the same directory (if the original file name will be abcdef.dll , the file that will be created will be fedcba.ini )

- different versions will create one following keys :
1) in HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects either with the same name or names like MSEvents Object , PsapiAnalyzer , AtlDistrib etc. This key enables Virtumonde to be loaded when internet explorer starts.
2) the same pattern si used for this key (HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks) .

It has several protection methods , that ensure that the dll file will not be deleted.
a) the module that it`s loaded in winlogon.exe will test periodically if the keys that virtumonde creates are deleted (if so , it creates them again).
b) it checks for the PendingFileRenameOperations key , to test if the dll is to be deleted when windows starts (if so , the dll name will be deleted from that key )
c) it searches for the same thing in wininit.ini

It display advertising , usualy using internet explorer to load a web page.

Last update 21 November 2011

 

TOP