vundo variantWhat is vundo? (Also known as virtumonde or virtumondo).

Vundo is an aggressive trojan horse that has been prevalent on PCs for years. It is is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook. Vundo could also be classified as adware since it is aggressive in showing popups which have a significant impact on system speed.

How did I get vundo?

Most likely vundo would be picked up through bad links, emails, and if you’re using Internet Explorer (especially anything prior to v8) than you have security holes that vundo can penetrate. Make sure you always remember to update your software!

Eliminate vundo completely.

You really can’t leave any traces of vundo behind, partial elimination will only enable the adware trojan to reinstall itself on your system.

Vundo variants & infection.

There are two main components to Virtumonde.dll which are Browser Helper Objects and Class ID. Each of these components are in the Windows Registry under HKEY_LOCAL_MACHINE, and the file names are dynamic. It attaches to the system using bogus Browser Helper Objects and DLL files attached to winlogon.exe and explorer.exe and more recently lsass.exe.[1]

The latest variation of Vundo is undetected by most antivirus software, inserts registry entries to suppress Windows warnings about the disabling of firewall, antivirus, and the Automatic Updates service, disables the Automatic Updates service and quickly re-disables it if manually re-enabled, and attacks Malwarebytes’ Anti-Malware, Spybot Search & Destroy, Lavasoft Ad-Aware, HijackThis, and several other malware removal tools. It is also not detectable (or else hides itself) from Vundofix. Rather than pushing fake antivirus products, the new “ad” popups for the drive-by download attacks are copies of ads by major corporations, faked so that simply closing them allows the drive-by download exploit to insert the payload into the user’s computer. Its filenames are categorized by having the “hidden” flag set and being .dll files with 8-character randomly arranged names alternating consonants and vowels.

Vundo removal.

There is more than one way to remove vundo. There are tools available as well as manual removals. Below are some links to sites which will document the process of removing vundo from your PC.

1. How to remove Virtumonde (Vundo) / Winfixer

2. How to remove the Adware Vundo

3. Vundofix by Atribune