vundo/virtumonde white paper

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi All,

Is there anybody who knows where i can find any white paper, research,
analysis on the vundo/virtumonde virus?

I'm doing a sort of document talking about this virus and i need information
about it.

Any comment or personal experience is welcome.

I need to know how users get infected, from which infected website they got
this virus so i can make like a diagram from the begining of the infection
until the pop-ups start asking to download antivirus software.

Thanks for your help





Re: vundo/virtumonde white paper


| Hi All,
|
| Is there anybody who knows where i can find any white paper, research,
| analysis on the vundo/virtumonde virus?
|
| I'm doing a sort of document talking about this virus and i need information
| about it.
|
| Any comment or personal experience is welcome.
|
| I need to know how users get infected, from which infected website they got
| this virus so i can make like a diagram from the begining of the infection
| until the pop-ups start asking to download antivirus software.
|
| Thanks for your help
|

To start your research...

The Vundo is a Trojan and not a virus.
The Virtumonde is classed as an adware Trojan.

One major infection vector is exploitation of vulnerabilities in Java.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: vundo/virtumonde white paper

On 2/12/2008 6:27 AM, Lolo, after much thought, came up with this jewel:
Quoted text here. Click to load it
My wife got one (AntiVirGear) through MySpace. She went to a user's page
and it said to install something to listen to a song. It didn't take but
a few seconds before a new toolbar to appear and the pop-ups to start.
What a chore it was to get rid of it. AdAware,Spybot,PestPatrol,MSAS
couldn't touch it. After several hours of scanning (should have known
better) I did some googling and found the only tool that worked-
Roguefix (run in safe-mode)

http://www.internetinspiration.co.uk/roguefix.htm
(notice PCButts thief warning)

max
--
Virus Removal http://max.shplink.com/removal.html
Keep Clean http://max.shplink.com/keepingclean.html
Tools http://max.shplink.com/tools.html
Change nomail.afraid.org to gmail.com to reply by email.

Re: vundo/virtumonde white paper



| My wife got one (AntiVirGear) through MySpace. She went to a user's page
| and it said to install something to listen to a song. It didn't take but
| a few seconds before a new toolbar to appear and the pop-ups to start.
| What a chore it was to get rid of it. AdAware,Spybot,PestPatrol,MSAS
| couldn't touch it. After several hours of scanning (should have known
| better) I did some googling and found the only tool that worked-
| Roguefix (run in safe-mode)
|
| http://www.internetinspiration.co.uk/roguefix.htm
| (notice PCButts thief warning)
|
| max

Sorry Max.  That's the WRONG family.

The Vundo Trojan and Virtumonde Adware are part of the Winfixer family while you
mention the
SmitFraud/Fakealert family.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: vundo/virtumonde white paper

On 2/12/2008 8:01 PM, David H. Lipman, after much thought, came up with
this jewel:
Quoted text here. Click to load it
Figures,the poor 2nd cousin.......
--
Virus Removal http://max.shplink.com/removal.html
Keep Clean http://max.shplink.com/keepingclean.html
Tools http://max.shplink.com/tools.html
Change nomail.afraid.org to gmail.com to reply by email.

Re: vundo/virtumonde white paper



| Figures,the poor 2nd cousin.......

Bastard cousins is more like it and there is a smidge of overlap.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: vundo/virtumonde white paper

Thanks for the info.

the funny thing here is that i can't really find a lot of info regarding
this trojan compare to some other families.
i found a lots of info about the end of the infection chain but nothing
about the begining.

thx
lolo

Quoted text here. Click to load it



Re: vundo/virtumonde white paper


| Thanks for the info.
|
| the funny thing here is that i can't really find a lot of info regarding
| this trojan compare to some other families.
| i found a lots of info about the end of the infection chain but nothing
| about the begining.
|
| thx
| lolo
|

That's because malware researchers hold this information as "proprietary".  The
reason being
the anti malware specialist can NOT tip their hat on just how much is known.

Information I provided is public, generic, knowledge.  I can't relaese further
data.  Sorry!


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: vundo/virtumonde white paper

Thank you for your honest answer,
but i'm not asking for the whole thing, i'm asking for a point where to
start
i'll do the rest by myself.
cheers.


Quoted text here. Click to load it



Re: vundo/virtumonde white paper


| Thank you for your honest answer,
| but i'm not asking for the whole thing, i'm asking for a point where to
| start
| i'll do the rest by myself.
| cheers.
|

I will tell you this...
The WinFixer family creators are now using Comodo Certificate Authority to
digitaly sign
their malware.  As of Today, I am sure Melih will revoke their certificate(s).

Reference:
"SetUp A Host"
89.18.181.x
Note: several nodes but probably not all.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: vundo/virtumonde white paper

thanks for the info David...


Quoted text here. Click to load it



Re: vundo/virtumonde white paper

Hey David,

Can we tell that the vundo is a french trojan family or from Russian
I would say russian isn't it?

Thx

Quoted text here. Click to load it



Re: vundo/virtumonde white paper


| Hey David,
|
| Can we tell that the vundo is a french trojan family or from Russian
| I would say russian isn't it?
|
| Thx
|

Registrant:
 Amaena
 P.O. box1048
 Chernigov, NA 14032
 UA

 Domain name: AMAENA.COM

 Administrative Contact:
    Hostmaster, Amaena  hostmaster@amaena.com
    P.O. box1048
    Chernigov, NA 14032
    UA
    +380 96 381 4557


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Site Timeline