Virtumonde/Vundo goes file infector

Over the last couple of days I’ve been looking at some of the latest tricks used by the creators of some adware – Virtumonde a.k.a Vundo. Virtumonde is notoriously hard to remove from an infected machine and with a new infection vector added, the program’s got even tricksier.

The authors are now using file infection so Virtumonde checks which files run at Windows startup and tries to infect them. Effectively this means that Virtumonde turns the original host file into a Trojan-Dropper.

Dropper code is prepended to the original host file, with a copy of Virtumonde being appended to the same file. When the infected file is launched it drops the original host file to %temp% and the Virtumonde file to the system directory.

Although Virtumonde is using an infection marker to prevent re-infecting the same file over and over again, this doesn’t always work. There are samples of already infected files being re-infected and the host file then won’t run. However, re-infection doesn’t prevent Virtumonde itself from running.

Because this code is self-replicating we’re dealing with a classic prepending virus. Unlike some other adware we’ve blogged about that uses a similar approach, this isn’t a Patcher Trojan.

This new trick from the Virtumonde authors is pretty easy to detect and disinfect. (We detect it as Virus.Win32.Trats.a). Although this variant didn’t cause any headaches from a technical point of view, we can expect some interesting challenges if Virtumonde continues to evolve.