Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Tuesday, November 15, 2011

Virtumonde.prx - Trojan.Vundo.H

Prevention page with lots of info and tips how to prevent this in the future.
Source
 (Malware Protection Center)
 TrojanDropper:Win32/Vundo.H (?)
Aliases
  • Trojan:Win32/Vundo.JI (other)
  • Win-Trojan/Boltolog.53760.D (AhnLab)
  • Win32/VundoCryptorAG!generic (CA)
  • Trojan.Downloader-70422 (Clam AV)
  • Win32/Adware.Virtumonde (ESET)
  • Trojan-Downloader.Win32.Boltolog.aud (Kaspersky)
  • Vundo.gen.av (McAfee)
  • W32/Virtumonde.AXPX (Norman)
  • Troj/Virtum-GEN (Sophos)

Alert Level (?)
Severe

Microsoft recommends that you download the latest definitions to get protected. 
TrojanDropper:Win32/Vundo.H is a trojan that installs a variant of Win32/Vundo detected as Trojan:Win32/Vundo.gen!C. Win32/Vundo.gen!C is a generic detection for a multi-component family of programs that deliver 'out of context' pop-up advertisements to the computer on which they are installed and may download and execute arbitrary files. 
Payload
Installs Trojan:Win32/Vundo.gen!C
When run, TrojanDropper:Win32/Vundo.H drops a file as the following:
 <system folder>\{random letters}.dll - detected as Trojan:Win32/Vundo.gen!C
%TEMP%\<random letters>.bat - batch script
 After dropping the above mentioned files, the registry is modified to run the dropped malware at Windows start, as in the following example modifications:
 Modifies value: "Time"
With data: "90 C0 4C 89 C0 CA C9 01 00 00 00 00"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings
 Modifies value: "(default)"
With data: "<system folder>\hggxyofy.dll"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32
 Adds value: "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
 Adds value: "Asynchronous"
With data: "1"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hgGxYOFY
 Adds value: "(default)"
With data: "26a53dbe7b0346adac37c7b2bf52ced8&"
To subkey: HKLM\Software\Microsoft\acc0fbff
 Adds value: "(default)"
With data: "8E 9D C1 89 C0 CA C9 01"
To subkey: HKCU\SOFTWARE\Microsoft\Installer
 Note that the above changes will be different among installations of the trojan. After installing Win32/Vundo.gen!C, the trojan dropper executes the dropped batch script to delete the trojan dropper.
 ====================
Trojan Vundo.H INFO
Trojan.vundo.h is one of the most horrible pc virus that is commonly established through the internet or shady emails. It is a backdoor trojanvirus that surely has become one of the most prolific problems on the
internet for pc owners in this time period. In all likelihood you either have downloaded the trojan.vundo.h or you know someone who needs toremove vundo. Some Computer Aces claim that as many as 1/2 of computers that are live on the internet have some varaiton of the vundo trojan virus. 
This particular problem has a aggregation of different names and alterations. It is called: trojan.vundo.h, vundo b trojan, virtumonde,
or MS Juan. Also many of these variations have matured and made many individual strains that work a little differently, much like the common sickness for humans the cold, no one type seems to be the exact same.
The trojan.vundo.h is allocated as a downloader because it composes ways for computer adware, keyloggers, and adclickers to be downloaded on your home computer without your awareness. This action could come about very briskly, at times in a few days or even hours. If you have been alerted by a program like Norton or Mcafee that you have indeed downloaded the trojan.vundo.h virus you should take steps to remove it quickly and completely.
Before you try a vundo removal you should make sure to have all of your important files backed up because it can be risky and even professionals have a hard time with this trojan sometimes. I myself have encountered
forms of vundo that will always regenerate some type of file without a complete computer reformat- but these are few and far between. It has taken a while and a some trial and error to find the best software to
remove vundo, but I have created a guide that I am confident will work for you!
===============
Source
1) Your temporary files didn't get deleted by CCleaner. I'm not sure if you ran it and this is very important, so I would like for you to do that now. Go to the CCleaner icon on your desktop (it's a red C with a blue-handled broom in it) and double click on it. This will open the program. Then I would like for you to click on the settings button on the left side, then in the next window, there are a group of buttons starting with settings, cookies, custom. Please click on custom. In the window that opens up, you'll see the possibility to add a folder or add a file. Please add a folder - first the one called C:\WINDOWS\Temp\ and then add the folder C:\Documents and Settings\Ava\Local Settings\Temp\ You will get a warning, just say okay.
After you've added both of these, click on the broom on the left side and you should be back at the default window with the Windows tab as the one on top. Leave everything checked. (If you use your history, you can uncheck it now, but you should change to bookmarks or favorites so you can always delete your history in the future.)
Now click on Start Cleaner in the lower right-hand side of CCleaner. Allow it to run until it's finished. When it's finished, the button "Start Cleaner" will become active again.
Now please go to settings and then custom as you did before. Highlight each of the temp folders you added and remove each one.
2) Next I want you to go to add/remove programs and uninstall Viewpoint Media Player.
3) Once you've finished both of the above, I want you to have you delete a program in your Program Files. Please go to C:\Program Files and look for the folder called Common Files. Open the Common Files folder and look for a folder called iS3. Open the iS3 folder and delete everything that's in it. Then delete the iS3 folder as well.
Now please do the following:
4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
After you click fix, just close hijackthis.
5) Now I want you to rename the following files by adding .zzz to the end. To rename the files, find them in Windows Explorer and then right-click on each file. Select rename and at the end of the name, add .zzz to each one.
C:\WINDOWS\system32\BB09298911.sys ----> BB09298911.sys.zzz
C:\WINDOWS\JYW08.INI ----> JYW08.INI.zzz
After you rename the file, you can just click out in the window somewhere to complete the renaming process. This will make the little box go away. Then check each one to make sure it has the .zzz at the end and not in the middle.
6) Finally, I need to see if the above worked. Please find the file called GetLogs.bat in the MGTools folder under C:\
Double-click on GetLogs.bat and allow it to run to completion. When it's finished, come back here and use the Manage Attachments to attach the new logs which will be called MGlogs.zip. You can find them among the files directly under C:\ (click on the drive, not the + sign).
-----------
Delete:
C:\WINDOWS\system32\BB09298911.sys.zzz
C:\WINDOWS\JYW08.INI.zzz
Then go to the following folders and open them and click on the files a few at a time and delete any that you can. If you hit a small group where it won't let you delete them, try those one at a time. Keep going until you've deleted all the files you can.
C:\WINDOWS\Temp\
C:\Documents and Settings\Ava\Local Settings\Temp\
When you finish the above, please do the following:
Download ATF Cleaner by Atribune. This program does not require an installation.
NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main ATF Cleaner menu to close the program.
Finally, I need to see if the above worked. Please find the file called GetLogs.bat in the MGTools folder under C:\
Double-click on GetLogs.bat and allow it to run to completion. When it's finished, come back here and use the Manage Attachments to attach the new logs which will be called MGlogs.zip. You can find them among the files directly under C:\ (click on the drive, not the + sign).
-------------------------
  • Uninstall SuperAntiSpyware
  • If you installed Combofix to the desktop and renamed it cf.exe, it can be removed by going to Start/Run and copy-pasting in "%userprofile%\Desktop\cf" /u
  • Check for the following and if found, remove them as well by deleting them: ComboFix.exe (if it wasn't renamed), C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
  • If we had you run Avenger, you can delete all files related to Avenger now.
  • If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
  • Go to add/remove programs and uninstall HijackThis.
  • Then go into Windows Explorer and find MGTools directly under C:\ (or the root drive where your operating system is installed).
  • Open the MGTools folder and delete the contents.
  • Then delete the folder itself.
  • Look for any leftover logs on your desktop and if found delete them
  • Run CCleaner
  • After you've completed the above, please follow the instructions at this link for setting a clean restore point. - Before you do this step, please use your computer for a day or so with a couple of reboots and make sure you are not experiencing anything unusual. Then complete this step as well. It will give you a clean restore point to come back to in the future.
     
    Disable and Enable System Restore!
  • Once you've done this, please take a look at the link that follows. It's a good read and has some good information to help you prevent further malware invasions.
    How to Protect Yourself from Malware
Download HijackThis. It will be installed in a folder called HijackThis, usually under Program Files. Double-click on HijackThis.exe to run the program. Select "Run a system scan" Check the below O23 entry for a-squared and after closing all browser windows click fix. Then rerun the scan and see if it's still there.
If it's still there, run HijackThis again, only this time choose "None of the above, just start the program". Then select config, misc tools and look for the box that says Delete an NT service. Copy/paste in a2free and then click on okay. After that just close HijackThis.
O23 - Service: a-squared Free Service (a2free) - Unknown owner - C:\Program Files\a-squared Free\a2service.exe (file missing)
O2 - BHO: (no name) - {87C7678A-8E9C-45A8-90E4-8DF38DCC0E0B} - C:\WINDOWS\system32\atmfdq.dll (file missing)
==========================
Source
Open HijackThis and click scan.
There, you'll see the list with that entry present
Check it and click the Fix checked button below
O4 - HKLM\..\Run: [_winadm] C:\WINDOWS\system32\winadm.exe
--------------------
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Are you still being redirected?
--------------------------
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object)

No comments: