Virtumondo installed with detection

Discussion in 'NOD32 version 2 Forum' started by Thiggy, Sep 13, 2006.

Thread Status:
Not open for further replies.
  1. Thiggy

    Thiggy Registered Member

    Joined:
    Apr 16, 2005
    Posts:
    82
    I've been a long time user of NOD32 and ventured to a website the other day that contained the Virtumondo trojan. NOD32 detected the trojan, alerted and offered the usual Terminate/Quit; but, I found after terminating that the trojan was installed nonetheless. It consisted of many avenues of intrusion including vtsqq.dll in the system32 directory, registry changes and winlogin hooks. Though I know no AV program is 100% accurate, I'm curious why all this was installed with all modules of NOD32 running except EMON. To rid the PC of the intrusion, I had to step back to a prior system restore date along with manual deletion of the dll. Clean up was successful.
     
    Last edited: Sep 13, 2006
  2. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    When you test your security software against malware, you should try "installing" it through a sandbox (SandboxIE f.ex.). That way all you have to do is clean out the sandbox, and your system will remain as it used to be (before you tried "installing" the malware).

    Back on topic, you didn't mention which file NOD32 did give you warning against? If it was the installer (and I suppose it was, since it was the one you were downloading and given the option to "Terminate"), then I'm amazed that you got to run the installer? It shouldn't have been possible, at least not with AMON enabled, unless you excluded the Virtumondo installer?

    EDIT: Also, how can it install itself when it wasn't really downloaded to your PC? You say IMON intercepted and terminated the download? Either you don't remember right about what happened and how it happened, or there is something fishy going on with your NOD32 or your setup for NOD32?
     
  3. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Do you have the website still? If so, please send me a PM with it.

    Cheers :D
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    PM received and replied to.

    Cheers :D
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I've gone through the source of the page and found a reference to another script that triggers download of Win32/TrojanDownloader.Small.BWY trojan.

    Even with IMON disabled, AMON would detect it on save and move it to quarantine. NOD32 does not detect any threat names Vundo, only Virtumonde. However, this does not seem to be the case as the threat is detected under a different name.
     
  6. Thiggy

    Thiggy Registered Member

    Joined:
    Apr 16, 2005
    Posts:
    82
    I understand this is a very active and changing trojan and there are variants constantly being published. If I remember correctly, I closed the browser window in due haste as NOD32 was alerting at the same time. That may have caused the breach. NOD32 is still my favorite and I'll continue to trust its excellent Heuristics. Thank you Blackspear and Marcos for looking into this.
     
    Last edited: Sep 13, 2006
  7. apm

    apm Registered Member

    Joined:
    Mar 15, 2006
    Posts:
    162
    A few months ago my laptop got infected with Virtumonde too with Nod32 installed and update-to-date. It's when I received freq. popups of WinAntivirus Ads That I noticed something wrong, and had too search and DL the fix tool to clean it. I tried copy and zipped the dlls and scaned with Jotti's page, only kav & Drweb & another one (forgot) can detect it. Just wonder if generic detection possible since it seems not a AV can always detects this adware.
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    A pleasure.

    Cheers :D
     
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    the following quote is the key to this particular mongrel:
    Cheers :D
     
Thread Status:
Not open for further replies.