Vundo Variant

Discussion in 'malware problems & news' started by razor0018, Apr 23, 2008.

Thread Status:
Not open for further replies.
  1. razor0018

    razor0018 Registered Member

    Joined:
    May 28, 2007
    Posts:
    52
    This nasty thing bypassed my internet security. I was able to finally remove it using Super Anti Spy. During the infection I noticed that this thing:

    - deleted all my system restore points while creating its own only restore point after infection

    -constantly froze explorer in a loop of stopping and restarting itself

    -changed my cookie setting in IE

    -Modified several modules and services in windows and office

    -also started in safe mode

    Please excuse my noobness but this is the first time I have ever been infected by malware. But my question is if anyone could tell me everything this thing altered on my system so that I can undo it and prepare my system for a reformat after safely backing up my data. I have the infected file inside of a passworded .rar so if anyone would like to examine the file themselves I can upload it somewhere at their request. Any help would be appreciated. Thank you.
     
  2. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Hi razor0018, could you upload the rar to RS and PM me the link please.:)

    And maybe the url where it was picked up from as well.

    SAS is an excellent AS and one of the first I run on other machines but you may want to see if any dregs remain by trying VundoFix.exe
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    How did u get it?

    May be u need to post a HJT log on some forums( not here though).
     
  4. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Ran it in a test sandbox where a pmnmnNGX.dll was created in a sandboxed system 32 folder.

    A batchfile named "removalfile" with the following code was creasted in C:\Sandbox\TestVundo\user\current\Local Settings\Temp
    Code:
    @echo off
    :df
    del %1
    if exist %1 goto df
    A reghive was created which I have no idea how to interpret.
    Code:
    regf
       
       ³D/¥È                 0     l u m e 1 \ S a n d b o x \ T e s t V u n d o \ R e g H i v e                                                                                                                                                                                                                                                                                                                                                                                                               ,óa#DIRTÿÿÿ                                                     
    And an error popped up when it couldn't do anything else with everything seemigly contained within the sandbox.
    Vun Error.jpg
     
    Last edited: Apr 23, 2008
  5. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
  6. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
     
Loading...
Thread Status:
Not open for further replies.