January 2^nd, 2009

So I picked up this nasty little trojan/virus called Virtumonde a couple of days ago on my home laptop computer. Actually, "Virtumonde" is just one name for it. It is also called (and maybe more properly called) "Mundo" trojan or "Virtumondo" and even called "MS Juan" by some anti-spyware programs. Well, whatever ... I first learned it as "Virtumonde", so that's what I refer to it as.

Now, Virtumonde is the most bloody pernicious little piece of crapola that I have ever had the misfortune of clearing from any system ... and this goes back to my Windows 98 days when I knew a lot less about how these things worked.

1.0 - Characteristics of Virtumonde

For those folks who are interested, here are the characteristics of Virtumonde that made it so hard to remove from my system:

• Virtumonde creates randomly-named DLLs and stores them in the \Windows\System32 folder. You can go look through that folder, sorting by file date and time, and fairly easily figure out which of the DLLs are part of Virtumonde. (In my case, the DLL name was "yumafiba.dll" and later "CPM_76e82.dll" but those are just random names—everyone afflicted with the Virtumonde trojan will have a differently-named DLL file.

• Virtumonde loads itself at boot time. This is not a new trick by any means. Lots of viruses and trojans install themselves as services that load with Windows. The characteristic here, though, is that the trojan loads as a part of Windows itself—that is, when you log on, it comes into Windows. That has repercussions for traditional "Safe Mode" methods of removing trojans and viruses.

• If you try to delete any of Virtumonde's several registry entries, one of the two running processes puts it back in a matter of milliseconds. If you try to halt the memory-resident processes that are running, one restarts the other.

• Virtumonde runs in "Stealth Mode"; that is, it hides its process name from the Task Manager, so you can't easily find and delete the running process (it wouldn't help anyway: it would just come back).

• There are a few locations in the registry where Virtumonde created entries. To determine whether or not I was infected, I checked HKLM\Software\Microsoft\Windows\CurrentVersion\Run for the reference to RunDLL "xxxxxxx.DLL", s. Even manually deleting it only worked for a few milliseconds before the memory-resident process (the service) put it back there. If I refreshed the registry key listing, it was there again. There is nothing more maddening to me that this behaviour! (By the way, another registry key affected was: HKUS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run. There may have been another one or two as well. It didn't matter; changing or removing them would be futile.

• Even when using Firefox, the popups (the payload delivered by the Virtumonde trojan) are part of the Internet Explorer (iexplore.exe) process.

2.0 - Unsuccessful removal attempts

When I first learned I had the virus (by way of popups during browsing online) I thought "no problem". I never mind this sort of thing because it gives me a bit of a Windows system workout.

1. The first thing I tried was to boot into Safe Mode. This has traditionally been successful for me, since the memory-resident portions of the trojan/virus wouldn't load and start. But no such luck here: Virtumonde loads as a part of Windows. Booting in Safe Mode still loaded the memory-resident portion of the trojan.

2. After finding the DLL in the \Windows\System32 folder, I renamed it. One reboot later and a new DLL (with a different name) was there. I tried preventing the folder from being written to, but I just got a DLL load error at boot time, with the Virtumonde memory-resident portion still loading from somewhere.

3. Fine, so I ran Spybot Search-and-destroy. It certainly detected the Virtumonde trojan ... and even claimed to remove it. But it had no success in permanently halting it, since it was really just an automated version of the manual step I mentioned above (booting to Safe Mode.) The real-time monitoring part of SD called TeaTime was somewhat helpful, in that it prevented (or, through a popup, gave you the option of preventing) the reinfection of the registry keys ... but that's only slightly helpful, since it didn't get rid of the memory-resident portion, and the keys came back at reboot anyhow. Besides, it would be the equivalent of having herpes B or worse, with no current outbreak: You'd still have the virus, just that it was dormant (and still taking up system resources).

4. Next, I tried a tool specifically designed to remove the Virtumonde trojan, called, VundoFix. I downloaded it and ran it. It claimed that the trojan wasn't even there. Oh brother.

5. I ran AdAware which detected Virtumonde fine, and even claimed to remove the trojan. But, just like Spybot, the trojan was back in just a few seconds.

6. I use Avira as my virus program. It recognizes the MS_Juan trojan right at the time Virtumonde delivers its payload into my browser (in the form of a popup advertising fake spyware removal software and MP3 websites). Even when told to delete the "trojan" (MS_Juan is not really the trojan, just the final part of the process for getting the popup delivered) the popup occurred anyhow.

7. I downloaded the PC Tools product Spyware Doctor and installed it. It claimed to have found the Virtumonde trojan, but wouldn't clean it unless I purchased the "full version". Ah, crippleware. Shitware, as I call it. I went back to their webpage and discovered, way at the bottom, the "restrictions" paragraph saying that, running on-demand, it only detected trojans and viruses; it didn't remove them! It was hard to find this information way down there at the bottom of their web page, and, considering the performance of the other programs, hard to believe it would have success. I wasn't going to pay $50.00 to find out. Fuckers. Thanks for wasting my time. And I'll never buy anything of yours ever—especially now after the bait and switch marketing.

I want to register my shock and horror at all of this. Avira has been an excellent anti-virus program. Both Spybot and AdAware have been my saviours in the past. But these programs, and even tools designed specifically to remove this trojan failed to do the job! It's like that superbug that is starting to appear in hospitals. Very disturbing trend here. And I am no dummy about these things; I have traditionally been very efficient and taken great pride in getting rid of these trojans and viruses. And I failed to do it myself.

3.0 - Success for me

There were two methods of removing the Virtumonde trojan that actually worked for me. I want to stress that this nasty little bugger may not be successfully removed on others' machines even when using the same methods I did. But both are at least worth a try.

1. System Restore - Well, of course this is always an option, provided you have it turned on. I used to leave it off all the time because I resented the way it gobbled up hard disk space. But I leave System Restore on nowadays just for reasons like this trojan. I had installed some software that I didn't want to roll back unless it was absolutely necessary. So I left this to the end as an absolute last resort. Also, it might have just set things up so that I could get infected again.

2. MBAM - I found a set of instructions at BleepingComputers.com. It's really just a description of how to download Malwarebytes' Anti-Malware, or MBAM, program, install it, and run it. It is free. And ... it worked! That is, it found Virtumonde and removed it. I was so surprised that I kept going back to the HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key in Regedit.exe to confirm, even hours later.

There is a guy who claims, for $89.00, to remove the Virtumonde trojan from your computer. He even put up a little YouTube video. I won't link to him because I don't like his statement—which turned out to be completely wrong for me—that if you want to get rid of this trojan, you'll have to pay for the fix. You can pay for the fix, or you can find your own method, just as I did. Now, the fact that it took me an entire evening to do it, does indicate that, if time is money, you may benefit from paying $50.00 or $90.00 or whatever to get rid of this piece of malicious software. I guess it's up to you.

4.0 - Prevention

So how do I stop myself from getting this nasty piece of crap again? Well ... it starts, of course, with knowing how I got it in the first place. As it turns out, there are two methods I could find for getting infected with the Virtumonde trojan/virus:

• ZLOB "codec" - Getting a fake movie that calls for a fake codec called ZLOB. The ZLOB "codec" is actually the trojan installer. I don't watch movies and movie clips on this computer (I do watch YouTube videos, but those are Flash videos and do not ever download and install codecs).

• Older Sun Java - Uh oh, hard core computer geeks everywhere won't like this one. It turns out that versions of Sun Java, such as J2SE 1.4.2_03 or version 1.5.7_xx, have a vulnerability that can be exploited. The information online is a little sketchy about which versions are patched and which are vulnerable. I simply uninstalled all 1.4.x and 1.5.x versions of Java off my system, leaving 1.6.x.

I recommend getting the latest version of Sun Java and deleting the ZLOB "codec" (if you have it) and I also recommend being very careful about which codecs to accept. There may be more methods of getting infected, and since the Virtumonde trojan/virus is constantly changing, it can reasonably be expected that newer methods of getting infected will be derived.

---

Read more rants - - Comment on this rant - Email me

---