rss       feed       personal mail       professional mail       msn       facebook       linkedin        

Tuesday, August 19, 2008

Virtumondo/Virtumundo – virus hunt, continued

I couldn't remove this virus. I might if I had the system CD, so that I could start up without starting the logon process (virus uses winlogon notifiers). Here is, however, some information in case people want to pursue this:

Functionality is in a dll named "__c00*.dat", where the star is a number in hexadecimal format and


  • It "calls home" to "", which is based in the Netherlands.
  • Error output from the file can be found in "c:\xcrashdump.dat"
  • Files it hooks on are:
    • iexplore.exe
    • explorer.exe
    • services.exe
    • winlogon.exe
    • firefox.exe
    • opera.exe
  • Functionality includes
    • HttpSendRequestA (call home)
    • CreateWindowExA (show information)
    • SetWindowsHookExA (log stuff, I suspect key logging)
    • UrlDownloadFileA (download more stuff to update it self, maybe)
    • CreateMutex (I guess so that only one instance runs)
    • WriteProcessMemory (don't know, looks evil)
    • GetProcAddress (load what ever functionality from dlls, I couldn't find LoadLibrary, however)
    • CreateRemoteThread (looks bad)
    • Process Management and file management
    • Registry functions
    • String handling, both from shell api and native, both ANSI and UNICODE
    • SetSecurityDescriptorDacl


  • Lingvo9Netpatch from 2003
  • LocalAlloc and VirtualAlloc (memory allocation functions without their freeing counterparts) #"¤#""¤ memory leaks?
  • OpenFile
  • C-runtime functions
  • Looks sloppy written
  • Not detected by any virus scanners I've tried!


Analysis done with FileAlyzer.

So, I'm off to support so they can wipe my machine. ¤#"%"#"!%"#¤@work.… catch url…

BTW, I found a nice hosts file at:,

          rss       feed       personal mail       professional mail       msn       facebook       linkedin        

Sunday, August 17, 2008

Virtumondo – virus hunt

Removing virtumondo.

The other day I got an unsuspected pop up window using Internet Explorer. Strange, I thought, this kind of problems must be extinct years ago, I surely did something wrong…?

The problem was pervasive.

I use a virus killer and a firewall , and I don't install software I'm not supposed to, except maybe Opera and Java.

I tried spyware killers of Google and Microsoft. It worked. One day later, the problem reappeared… and in addition they reported (and did not fix) a virus named "Virtumondo"!

The net is full of fixes and people telling stories of hours of work without result. Except the obvious, two "low hanging fruits" emerged:

1. Blocking and all popping up sites in %windir%\system32\drivers\etc\hosts

2. Removing write-access to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"

I then restarted into safe mode with command prompt, ran anti virus, and removed all (three) reg keys under "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" starting with "__".

That's it, I don't feel certain I removed the malware, but this is all I have time for, if the thing reappears I guess I'll ask for a new machine or full reinstall.


Tomorrow will be better.