Virtumondo/Virtumundo – virus hunt, continued

April 22, 2009
180 Views

I couldn’t remove this virus. I might if I had the system CD, so that I could start up without starting the logon process (virus uses winlogon notifiers). Here is, however, some information in case people want to pursue this:

Functionality is in a dll named “__c00*.dat”, where the star is a number in hexadecimal format and

MD5=6717D534A44C9913FFFE9985EE7E933F:

  • It “calls home” to “nx1.zappoworld.com”, which is based in the Netherlands.
  • Error output from the file can be found in “c:\xcrashdump.dat”
  • Files it hooks on are:
    • iexplore.exe
    • explorer.exe
    • services.exe
    • winlogon.exe
    • firefox.exe
    • opera.exe
  • Functionality includes
    • HttpSendRequestA (call home)
    • CreateWindowExA (show information)
    • SetWindowsHookExA (log stuff, I suspect key logging)
    • UrlDownloadFileA (download more stuff to update it self, maybe)
    • CreateMutex (I guess so that only one instance runs)
    • WriteProcessMemory (don’t know, looks evil)
    • GetProcAddress (load what ever functionality from dlls, I couldn’t find LoadLibrary, however)
    • CreateRemoteThread (looks bad)
    • Process Management and file management
    • Registry functions
    • String handling, both from shell api and native, both ANSI and UNICODE
    • SetSecurityDescriptorDacl

MD5=69FEB378121DB99F80E15D597EC60124

  • Lingvo9



I couldn’t remove this virus. I might if I had the system CD, so that I could start up without starting the logon process (virus uses winlogon notifiers). Here is, however, some information in case people want to pursue this:

Functionality is in a dll named “__c00*.dat”, where the star is a number in hexadecimal format and

MD5=6717D534A44C9913FFFE9985EE7E933F:

  • It “calls home” to “nx1.zappoworld.com”, which is based in the Netherlands.
  • Error output from the file can be found in “c:\xcrashdump.dat”
  • Files it hooks on are:
    • iexplore.exe
    • explorer.exe
    • services.exe
    • winlogon.exe
    • firefox.exe
    • opera.exe
  • Functionality includes
    • HttpSendRequestA (call home)
    • CreateWindowExA (show information)
    • SetWindowsHookExA (log stuff, I suspect key logging)
    • UrlDownloadFileA (download more stuff to update it self, maybe)
    • CreateMutex (I guess so that only one instance runs)
    • WriteProcessMemory (don’t know, looks evil)
    • GetProcAddress (load what ever functionality from dlls, I couldn’t find LoadLibrary, however)
    • CreateRemoteThread (looks bad)
    • Process Management and file management
    • Registry functions
    • String handling, both from shell api and native, both ANSI and UNICODE
    • SetSecurityDescriptorDacl

MD5=69FEB378121DB99F80E15D597EC60124

  • Lingvo9Netpatch from 2003
  • LocalAlloc and VirtualAlloc (memory allocation functions without their freeing counterparts) #”¤#””¤ memory leaks?
  • OpenFile
  • C-runtime functions
  • Looks sloppy written
  • Not detected by any virus scanners I’ve tried!

 

Analysis done with FileAlyzer.

So, I’m off to support so they can wipe my machine. ¤#”%”#”!%”#¤@work.

Zappoworld.com…
Flashget.com catch url…

BTW, I found a nice hosts file at: http://mvps.org/winhelp2002/hosts.htm, http://mvps.org/winhelp2002/hosts.txt