Virtumondo/Virtumundo – virus hunt, continued

I couldn't remove this virus. I might if I had the system CD, so that I could start up without starting the logon process (virus uses winlogon notifiers). Here is, however, some information in case people want to pursue this:

Functionality is in a dll named "__c00*.dat", where the star is a number in hexadecimal format and

MD5=6717D534A44C9913FFFE9985EE7E933F:

• It "calls home" to "nx1.zappoworld.com", which is based in the Netherlands.
  
• Error output from the file can be found in "c:\xcrashdump.dat"
  
• Files it hooks on are:
  
  • iexplore.exe
    
  • explorer.exe
    
  • services.exe
    
  • winlogon.exe
    
  • firefox.exe
    
  • opera.exe
    
• Functionality includes
  
  • HttpSendRequestA (call home)
    
  • CreateWindowExA (show information)
    
  • SetWindowsHookExA (log stuff, I suspect key logging)
    
  • UrlDownloadFileA (download more stuff to update it self, maybe)
    
  • CreateMutex (I guess so that only one instance runs)
    
  • WriteProcessMemory (don't know, looks evil)
    
  • GetProcAddress (load what ever functionality from dlls, I couldn't find LoadLibrary, however)
    
  • CreateRemoteThread (looks bad)
    
  • Process Management and file management
    
  • Registry functions
    
  • String handling, both from shell api and native, both ANSI and UNICODE
    
  • SetSecurityDescriptorDacl
    

MD5=69FEB378121DB99F80E15D597EC60124

• Lingvo9Netpatch from 2003
  
• LocalAlloc and VirtualAlloc (memory allocation functions without their freeing counterparts) #"¤#""¤ memory leaks?
  
• OpenFile
  
• C-runtime functions
  
• Looks sloppy written
  
• Not detected by any virus scanners I've tried!
  

 

Analysis done with FileAlyzer.

So, I'm off to support so they can wipe my machine. ¤#"%"#"!%"#¤@work.

Zappoworld.com…
Flashget.com catch url…

BTW, I found a nice hosts file at: http://mvps.org/winhelp2002/hosts.htm, http://mvps.org/winhelp2002/hosts.txt