Virtumondo installed with detection

I've been a long time user of NOD32 and ventured to a website the other day that contained the Virtumondo trojan. NOD32 detected the trojan, alerted and offered the usual Terminate/Quit; but, I found after terminating that the trojan was installed nonetheless. It consisted of many avenues of intrusion including vtsqq.dll in the system32 directory, registry changes and winlogin hooks. Though I know no AV program is 100% accurate, I'm curious why all this was installed with all modules of NOD32 running except EMON. To rid the PC of the intrusion, I had to step back to a prior system restore date along with manual deletion of the dll. Clean up was successful.

 

When you test your security software against malware, you should try "installing" it through a sandbox (SandboxIE f.ex.). That way all you have to do is clean out the sandbox, and your system will remain as it used to be (before you tried "installing" the malware).

Back on topic, you didn't mention which file NOD32 did give you warning against? If it was the installer (and I suppose it was, since it was the one you were downloading and given the option to "Terminate"), then I'm amazed that you got to run the installer? It shouldn't have been possible, at least not with AMON enabled, unless you excluded the Virtumondo installer?

EDIT: Also, how can it install itself when it wasn't really downloaded to your PC? You say IMON intercepted and terminated the download? Either you don't remember right about what happened and how it happened, or there is something fishy going on with your NOD32 or your setup for NOD32?

 

Do you have the website still? If so, please send me a PM with it.

Cheers

 

PM received and replied to.

Cheers

 

I've gone through the source of the page and found a reference to another script that triggers download of Win32/TrojanDownloader.Small.BWY trojan.

Even with IMON disabled, AMON would detect it on save and move it to quarantine. NOD32 does not detect any threat names Vundo, only Virtumonde. However, this does not seem to be the case as the threat is detected under a different name.

 

I understand this is a very active and changing trojan and there are variants constantly being published. If I remember correctly, I closed the browser window in due haste as NOD32 was alerting at the same time. That may have caused the breach. NOD32 is still my favorite and I'll continue to trust its excellent Heuristics. Thank you Blackspear and Marcos for looking into this.

 

A few months ago my laptop got infected with Virtumonde too with Nod32 installed and update-to-date. It's when I received freq. popups of WinAntivirus Ads That I noticed something wrong, and had too search and DL the fix tool to clean it. I tried copy and zipped the dlls and scaned with Jotti's page, only kav & Drweb & another one (forgot) can detect it. Just wonder if generic detection possible since it seems not a AV can always detects this adware.

 

A pleasure.

Cheers

 

the following quote is the key to this particular mongrel:

Cheers