rss       feed       personal mail       professional mail       msn       facebook       linkedin        

Tuesday, August 19, 2008

Virtumondo/Virtumundo – virus hunt, continued

I couldn't remove this virus. I might if I had the system CD, so that I could start up without starting the logon process (virus uses winlogon notifiers). Here is, however, some information in case people want to pursue this:

Functionality is in a dll named "__c00*.dat", where the star is a number in hexadecimal format and


  • It "calls home" to "", which is based in the Netherlands.
  • Error output from the file can be found in "c:\xcrashdump.dat"
  • Files it hooks on are:
    • iexplore.exe
    • explorer.exe
    • services.exe
    • winlogon.exe
    • firefox.exe
    • opera.exe
  • Functionality includes
    • HttpSendRequestA (call home)
    • CreateWindowExA (show information)
    • SetWindowsHookExA (log stuff, I suspect key logging)
    • UrlDownloadFileA (download more stuff to update it self, maybe)
    • CreateMutex (I guess so that only one instance runs)
    • WriteProcessMemory (don't know, looks evil)
    • GetProcAddress (load what ever functionality from dlls, I couldn't find LoadLibrary, however)
    • CreateRemoteThread (looks bad)
    • Process Management and file management
    • Registry functions
    • String handling, both from shell api and native, both ANSI and UNICODE
    • SetSecurityDescriptorDacl


  • Lingvo9Netpatch from 2003
  • LocalAlloc and VirtualAlloc (memory allocation functions without their freeing counterparts) #"¤#""¤ memory leaks?
  • OpenFile
  • C-runtime functions
  • Looks sloppy written
  • Not detected by any virus scanners I've tried!


Analysis done with FileAlyzer.

So, I'm off to support so they can wipe my machine. ¤#"%"#"!%"#¤@work.… catch url…

BTW, I found a nice hosts file at:,


Links to this post:

Create a Link

<< Home