Vundo Variant

Discussion in 'malware problems & news' started by razor0018, Apr 23, 2008.

Thread Status:
Not open for further replies.
  1. razor0018

    razor0018 Registered Member

    Joined:
    May 28, 2007
    Posts:
    52
    This nasty thing bypassed my internet security. I was able to finally remove it using Super Anti Spy. During the infection I noticed that this thing:

    - deleted all my system restore points while creating its own only restore point after infection

    -constantly froze explorer in a loop of stopping and restarting itself

    -changed my cookie setting in IE

    -Modified several modules and services in windows and office

    -also started in safe mode

    Please excuse my noobness but this is the first time I have ever been infected by malware. But my question is if anyone could tell me everything this thing altered on my system so that I can undo it and prepare my system for a reformat after safely backing up my data. I have the infected file inside of a passworded .rar so if anyone would like to examine the file themselves I can upload it somewhere at their request. Any help would be appreciated. Thank you.
     
  2. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Hi razor0018, could you upload the rar to RS and PM me the link please.:)

    And maybe the url where it was picked up from as well.

    SAS is an excellent AS and one of the first I run on other machines but you may want to see if any dregs remain by trying VundoFix.exe
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,109
    Location:
    Saudi Arabia/ Pakistan
    How did u get it?

    May be u need to post a HJT log on some forums( not here though).
     
  4. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Ran it in a test sandbox where a pmnmnNGX.dll was created in a sandboxed system 32 folder.

    A batchfile named "removalfile" with the following code was creasted in C:\Sandbox\TestVundo\user\current\Local Settings\Temp
    Code:
    @echo off
    :df
    del %1
    if exist %1 goto df
    A reghive was created which I have no idea how to interpret.
    Code:
    regf
       
       ³D/¥È                 0     l u m e 1 \ S a n d b o x \ T e s t V u n d o \ R e g H i v e                                                                                                                                                                                                                                                                                                                                                                                                               ,óa#DIRTÿÿÿ                                                     
    And an error popped up when it couldn't do anything else with everything seemigly contained within the sandbox.
    Vun Error.jpg
     
    Last edited: Apr 23, 2008
  5. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
  6. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.