New Vundu variant vexes v3?

Discussion in 'ESET NOD32 Antivirus' started by AshG, Dec 13, 2008.

Thread Status:
Not open for further replies.
  1. AshG

    AshG Registered Member

    Joined:
    May 7, 2005
    Posts:
    206
    Location:
    East TN
    Earlier this evening, I was browsing one of my favorite sites when I found their ad agency had included a nice surprise: a new Vundu variant. NOD32 picked it up and flashed a few popups stating as such, but after about 30 seconds I received notification from XP that both the Firewall and Automatic updates had been disabled. I was hammered by a slew of popups urging me to install Windows Antivirus 2009 that reappeared as fast as I could shut them down. In the meantime, NOD32 popped up to let me know that it hadn't seen this variant and asking me to submit the files for analysis. Of course, I said yes.

    Even though the malware had made it past the initial defense, NOD32 held it off enough for me to get SuperAntiSpyware installed and rip it out that way. After the cleaning and reboot, I ran a full NOD32 scan, SAS scan, and followed up with CureIt and found nothing. I've added Online Armor to run alongside NOD32 just in case anything like this happens again. I'm also urging the computer's owner to upgrade to Vista64 to add another level of protection (currently using XP32 sp3).

    Exactly how bad is this new variant, that it could make it past the first line of defense? I am a safe surfer who doesn't click on much of anything, and I definitely didn't give permission for anything to be downloaded or run. I hope the submitted samples are of some help with this new menace.
     
  2. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Can you pm me the site link for testing.
     
  3. AshG

    AshG Registered Member

    Joined:
    May 7, 2005
    Posts:
    206
    Location:
    East TN
    PM sent.

    I spent part of last evening trying to reproduce the attack on my computer at home, but given the different variables (I use Vista64 and NOD32 v4 at home) I am not surprised that I couldn't recreate it.
     
  4. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    From past experience ESET don't pay much attention to files sent via the client. ZIP up all the suspicious files from quarantine (disable the anti virus to do this) with a password "infected" and send it to samples("at")eset.com
     
  5. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Thanks AshG.Well I went there clicked a bunch of links and Everything appears normal.No warnnings of any kind or rogue pop ups. I even tried the yahoo adds but nothing here going on.I do not doubt you but if its still there I can not get lucky and land it.Maybe the rogue seen me coming and ran away.:D
     
  6. AshG

    AshG Registered Member

    Joined:
    May 7, 2005
    Posts:
    206
    Location:
    East TN
    Right after the attack, I contacted the site owner to let him know. According to his reply email this morning, he switched his ad package shortly after receiving my email to take care of the issue. I like responsive site owners.
     
  7. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Did you submit the samples to ESET via email or through ESET NOD32 Antivirus?

    Regards,

    Aryeh Goretsky
     
  8. eddiemc2

    eddiemc2 Registered Member

    Joined:
    Jan 11, 2009
    Posts:
    1
    I now have this virus also, keeps opening and closing imapi.exe
    Taskbar is gone, can only start it in task manager then it goes on andoff every few seconds.
     
  9. cantankrs

    cantankrs Registered Member

    Joined:
    Jan 15, 2009
    Posts:
    5
    Can anyone comment on whether invoking ESET settings password protection would have avoided AshG's issue where modules became disabled?

    Thanks
     
Thread Status:
Not open for further replies.