Virtumonde

Discussion in 'malware problems & news' started by ArthurLee, Aug 3, 2008.

Thread Status:
Not open for further replies.
  1. ArthurLee

    ArthurLee Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    29
    I thought I would share my experience of yesterday (2 August) with you and ask a few questions about this horrid virus/malware.

    I'm usually very careful about opening exe. files but I had downloaded a email client with a keygen application (I know, I know :mad: ) from a torrent file. I know that torrents are notorious for carrying and spreading malware/spyware/viruses etc. I'm still giving myself a hard time about this :( .
    Ironically, the email client loaded fine and the key from the keygen application worked! I've since uninstalled though. I don't condone this sort of thing either.

    My OS is Windows XP with Service Pack 2 and I have the ESET (Nod32) Security Suite installed as a firewall and antivirus. The first thing that happened was that every icon on my desktop was wiped leaving only my background desktop wallpaper. So I rebooted and there was a strange message just before the dektop was about to load (I can't remember the message) giving me options to continue, retry or cancel. I clicked on continue and my desktop loaded but within 10 seconds, the icons had gone but they came back and then disappeared about 5 times before finally disappearing altogether again.

    During all this, a message from Scotty the watchdog from my Winpatrol application kept asking me if I wanted Windows/System32/mlJDvcSka.dll to run on startup as a browser help object which I kept ignoring. I knew then that this dll. was part of my problem. I rebooted into safe mode but the same thing happened to the desktop icons there too. In the brief time available between the icons appearing and disappearing, I managed to do a system restore on 4 past dates but all were unsuccessful.

    The next thing that happened really scared me. I managed to run a scan with Lavasoft Adaware. Any application that I could open before the desktop icons were wiped actually stayed open. Within 20 seconds of the scan (the registry first I think), it had found 5,000 infected files or instances of spyware that included all kinds of stuff like Opera, IE add ons, browser help objects, toolbars etc. I have to admit to panicking at this point when the message came up to the effect that my computer was heavily and crtically infected with spyware. But, as soon as I clicked on the 'remove selected items' button, my screen went black and closed down! o_O. I tried this a few times after rebooting, even in safe mode, but the same thing happened.

    I knew I had to try and remove the Windows/System32/mlJDvcSka.dll but I couldn't get to it in time between the disappearing icons scenario. I then managed to do a scan with Spybot Search & Destroy which amazingly remained open throughout the whole scan and there it was - Virtumonde.dll with the mlJDvcSka.dll in it's sub folder together with 2 seperate registry entries. That's all that was found which I did find a little strange seeing as my Adaware told me that my computer was kind of critically infected o_O. Anyway, I successfully deleted the damn thing, rebooted and, wallah, desktop fine, everything working fine - UNTIL - desktop icons began disappearing and reappearing again and Scotty the watchdog came in with the same message but with a different dll. (Windows/System32/nnnlijki.dll) which of course I ignored. At this point, I ran a Hijack This scan and found nothing and I ran a smart scan with my ESET (Nod32) Antivirus and found nothing o_O.

    So I ran another scan with Spybot Search & Destroy which picked up the Virtumonde.dll with the regenerated nnnlijki.dll in it's sub folder and 2 different registry entries. I navigated to all three source items and physically deleted them, ran CCleaner and TuneUp One click optimizer that I thought would find loads of stuff but didn't, rebooted and everything has been fine since then. Incidentally, I ran a Hijack This scan this morning which showed up Winlogon Notifier nnnlijki.dll (file missing) and deleted that. I've also ran an Adaware scan that didn't find any trace of the original 5,000 infected items o_O

    Anyway, sorry this is long winded but it might help others who become infected with this horrid thing. And those questions:

    1. Why did Adaware show up 5,000 'critical items' within a few seconds of scanning yet my antivirus and Spybot Search & Destroy didn't pick up any of the 'toolbars, browser help objects, IE add ons etc'? Could it be that Virtumonde 'conditioned' Adaware to tell me that my computer was critically infected?

    2. Why didn't my ESET (Nod32) application pick up Virtumonde from the outset. I didn't get any message at all from it when I was about to run the exe. file. And why didn't it pick up on the nnnlijki.dll in Windows/System32 when I ran a scan?

    3. In hindsight, is there anything I could have done differently to get rid of Virtumonde more quickly than I did (it took me 5 hours!) or is there a security application (other than Winpatrol) that can run in the background and give real time system protection that maybe would have picked up on Virtumonde immediately?

    Thanks for listening! :)
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Try running a scan with SuperAntispyware free and Malwarebytes Antimalware. U can use ThreatFire in real time. It will zapp them.
     
  3. PiCo

    PiCo Registered Member

    Joined:
    Apr 9, 2008
    Posts:
    352
    Location:
    Athens, Greece
    Some trojan keeps loading infected files! You can also run CureIt!

    Virtumonde is a real bitchy one :thumbd:
     
  4. Cretemonster

    Cretemonster Registered Member

    Joined:
    Mar 31, 2005
    Posts:
    79
    Your story is neither longwinded nor unique.

    Its a simple matter of this:

    1. There are more bad guys than good guys.

    2. The bad guys are more organized and professional than ever before.

    3. The bad guys work 24\7\365 at making thier malware material 100% FUD for as long a period of time as possible.

    4. While the bad guys are working,the AVers are busy making sexy blog post with meaningless points.

    5. The bad guys,they work together whether they like each other or not,the AVers spend more time and energy at working against each other.

    Final Assumptions.

    Untied we stand,Divided we fall.

    Could never be a truer statement be made.
     
  5. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    I used to use warez sites, years ago, and discovered that the headache involved wasn't worth it. I don't know how many times I ended up having to reformat my HD, thus losing the software I'd tried to pirate. In those days, antivirus was about it, and it didn't pick up a lot of things lurking on warez sites.

    I don't download mail. I use free Yahoo. If I get some kind of attachment that I need to download, it's already been scanned by them. Then, it's scanned by my antivirus and SuperAntiSpyware before I open it. It's still always opened in Sandboxie if possible. That may be overdoing it, but my computer hasn't been infected in years, either. I think that's probably as much luck as anything, considering the stuff that's out there these days which has, if I'm remembering correctly, even shown up on honest, legitimate CD's. You do what you can and hope for the best.
     
  6. SourMilk

    SourMilk Registered Member

    Joined:
    Mar 31, 2006
    Posts:
    630
    Location:
    Hawaii
    First things first. If you ever reinstall your operating system, invest in an imaging program (e.g. Acronis True Image; Terrabyte Image for Windows, etc.) and image your fresh OS installation on an external hard drive. Then, make images ever so often as you see fit. Then when malware strikes you simply overwrite it with a clean image.

    As far as anti-malware protection, there are many good programs you can use. Among them are Threatfire (a behavior checker); Antivir (a top rated antivirus according to "antivirus comparitives" report); A2 Antimalware (a one year free license is being offered today at Giveawayoftheday.com); Check out the myriad of threads found in this fantastic forum for other ideas.

    Safe hex saves hours of frustration.

    SourMilk out
     
  7. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    A few things I can tell:

    1.From what I understand you run NOD32 antivirus. Now, NOD32 relies only on signatures and heuristics, and that's an outdated approach to detect new malware variants nowadays. If you know that you are going to install software which can be dangerous you MUST use a behaviour blocker/HIPS or an antivirus that includes that functionality. So I'd reccomend you to either start using a good behaviour blocker like Mamutu($$), Drivesentry($$, but also includes a blacklist) or Threatfire(free, but $$ available), or a good HIPS software like Comodo Firewall Pro(free), Online Armor(free but $$ is better) or Outpost($$), or get another antivirus which has behaviour blocker/HIPS functions. I don't think that Winpatrol is enough.
    2.You are using Spybot and Ad-Aware. They were good antispywares some years ago, but nowadays their detection is pretty mediocre. I recommend getting SUPERAntiSpyware with AVG Anti spyware for spyware scanning. Also, in cases of Rogue infections, MalwareBytes Rogue Remover and SmithFraudFix should usually do the job.

    Last thing I have to say: if you really are going to download anything that you know can be dangerous, be sure at least to download it from a reliable source!(Not for warez, which you shouldn't use, but for other (legal) files.

    Have a nice day.
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    And it pays better to be a criminal. :ninja:
     
  9. hex_614

    hex_614 Registered Member

    Joined:
    Jul 17, 2008
    Posts:
    155
    Location:
    Manila, Philippines
    for complete protection

    i recommend you use AVG 8.0 for your anti virus and Norton Antibot for behavior real time protection. for on demand use SuperAntiSpyware. for added prevention use spyware blaster.
     
  10. ArthurLee

    ArthurLee Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    29
    Thanks hex - and for everyone else that's already contributed to this thread.

    I've heard conflicting reports about Norton generally (not the Antibot application individually), mostly that it's a resource hog and not so often that it's the best security around for system protection? Incidentally, I note that you don't mention a firewall except Windows Firewall in your signature. I've heard bad reports about it's effectiveness. Does Norton Antibot compensate as a firewall?

    I know AVG is free and has really good write ups and I've already installed SuperAntiSpyware as a on access scanner. I'm going to install Spyware Blaster too.

    I'm getting rid of ESET (Nod32) because it didn't pick up on the horrible Virtumonde (it really frightened me - I thought I was going to have to format my hard drive) but can I ask your opinion on Outpost Security Pro. It has good reviews and is really low on resources - which is one of my main criteria when installing Security applications?

    Thanks. :)
     
  11. Jaki

    Jaki Guest

    Hi ArthurLee

    I was also infected by virtumonde or vundo trojan while NOD32 was supposed to take care of it. I had to reformat my hard drive to get rid of it. Right now I'm using Kaspersky antivirus, comodo firewall, and threatfire. Also you could Avira Antivir Premium, Comodo Firewall, as well as norton antibot or threatfire. I think you should be completely protected if you have the security apparatus that I just mentioned. Forget about NOD32, sincerely I think that NOD32 is not that good. Be Safe and Peace.
     
  12. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,959
    Location:
    U.S.A.
    ArthurLee, back in 2005, I also picked up Vundo and at that time, the only thing that worked for me was VundoFix (a newer version is now available).

    As you will soon read, old versions of Java are also one of the entry points of this infection. To check your current version of Java, visit Verify Java Version. Make sure to remove any old Java versions after updating.
     
  13. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    hmmm, until the next antivirus misses something, maybe a variant of virtumonde or maybe something else. then off to another AV.

    recently, i've found i'm getting lots of emails linking to videos that require i install a "flash update", the .exe is the nuwar worm and over the last few weeks i've been warned by NOD32 via it's heuristics. Upload to VirusTotal and the new variants are detected by hardly any of the big vendors until a few days later, and by that time NOD32 has added a signature.

    so if i'd been using kaspersky or antivirus a, b or c at that point i'd be infected (if i wanted to see the latest paris hilton video, of course :D ).

    lots of swings and lots of roundabouts.
     
  14. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    Why? Because it doesn't detect it by signatures? What about on-execution heuristic detections? Proactive Protection Alerts? HIPS? I doubt it'll be able to bypass that. Same thing goes for others such as F-Secure which use HIPS functions. Don't rely on VirusTotal so much, especially on AVs that have this kind of features.
     
    Last edited: Aug 7, 2008
  15. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Wow,I am not the paranoid type but man your story made my blood pressure rise.:blink: Anyways glad you nuked that beeper.
     
    Last edited by a moderator: Aug 6, 2008
  16. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I agree with the at most important Image program,to add to the list,shadow protect and paragon both excellent.
     
  17. ArthurLee

    ArthurLee Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    29
    Thanks for that SourMilk.

    Please forgive my ignorance on this OS imaging procedure but I'm getting a picture of it being similar to System Restore although I'm probably a million miles away! o_O. I actually have an external hard drive (250GB) where I save my music and photo files and there's ample space to image a OS. So, would something like Acronis 'image' my now (thankfully) clean system onto my external hard drive and if I have any future horrendous malware/virus infections, I could just overwrite my corrupted OS with the clean one from my external drive?

    Your help is much appreciated. :)
     
Thread Status:
Not open for further replies.