Malware descriptions

Virtumonde/Vundo goes file infector

Over the last couple of days I’ve been looking at some of the latest tricks used by the creators of some adware – Virtumonde a.k.a Vundo. Virtumonde is notoriously hard to remove from an infected machine and with a new infection vector added, the program’s got even tricksier.

The authors are now using file infection so Virtumonde checks which files run at Windows startup and tries to infect them. Effectively this means that Virtumonde turns the original host file into a Trojan-Dropper.

Dropper code is prepended to the original host file, with a copy of Virtumonde being appended to the same file. When the infected file is launched it drops the original host file to %temp% and the Virtumonde file to the system directory.

Although Virtumonde is using an infection marker to prevent re-infecting the same file over and over again, this doesn’t always work. There are samples of already infected files being re-infected and the host file then won’t run. However, re-infection doesn’t prevent Virtumonde itself from running.

Because this code is self-replicating we’re dealing with a classic prepending virus. Unlike some other adware we’ve blogged about that uses a similar approach, this isn’t a Patcher Trojan.

This new trick from the Virtumonde authors is pretty easy to detect and disinfect. (We detect it as Virus.Win32.Trats.a). Although this variant didn’t cause any headaches from a technical point of view, we can expect some interesting challenges if Virtumonde continues to evolve.

Virtumonde/Vundo goes file infector

Your email address will not be published. Required fields are marked *

 

Reports

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

APT trends report Q2 2024

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox