Vundoo is back Norton,Housecall and many other antiviruses fail to even detect

Trojan.Vundo is a component of an ad ware program that downloads and displays pop-up advertisements. It is known to be installed by visiting a Web site link contained in a spammed email.

This is an old bug but there are new variants running around recently i had Norton running on my system got infected but it did not detect. Then installed Pc doc no use there too. Then finally went to House call and tried no use there too. Thus i concluded that this must be a new version.

The typical infection used to have a prompt like the one shown below.

But in my case nothing like that appeared.

While having the Vundo virus, infectees will notice a slight or large amount of memory being used at set times and/or randomly throughout the day. Pop-ups will tell you that your system is infected and that your performance is deteriorating, and that you must download a program (usually WinAntiVirusPro or SysProtect) to fix this. But due to some reason the pop ups where bieng blocked or the servers they where trying to connect where down. I opened up my fire wall and tried then also they where not displaying anything but failure returns. But some pop ups did work and most of them pointed to WinAntiVirus .

The program downloaded itself is a virus as well. The pop-ups will normally occur through Internet Explorer, but will also seek through to your Default Browser if it is open(in my case FireFox)

The process is a hidden service that is started when the operating system is loaded. There are many hidden files that appear with the Vundo virus. Sometimes, some virus removal programs will remove some of these hidden files but not the actual dll in my case most anti viruses dint see a single infected file meaning the file name have been changed or modified or that this is a new strain.

Windows having a "System File Missing" yellow bubble pop up (on Windows XP) that appears almost in randomly set intervals of 1-8 seconds. and some error messages when loading Windows saying the exact same thing.

Many tools and programs have been written to remove Vundo, although the Trojan's authors often release new versions. Vundo creates a DLL file in the Windows system directory and writes registry entries causing Windows to inject the file into winlogon.exe. This makes it very difficult to remove. In my case most tools did not work

Removing outdated versions of Sun Java used to prevent the infection but that too is not valid any more.

For me VundoFix did not work it was blocked through winlogon

VirtumundoBegone also failed for me it too did not help.

ComboFix helped not that dint last long the strain came back in less than 24 hrs. Finally i backed up my files and reinstalled windows.

Be very care full it is out again and this one is really really irritating. This one is not detected any antivirus i tried.

No comments: