Virtumondo/Virtumundo – virus hunt, continued

I couldn’t remove this virus. I might if I had the system CD, so that I could start up without starting the logon process (virus uses winlogon notifiers). Here is, however, some information in case people want to pursue this:

Functionality is in a dll named “__c00*.dat”, where the star is a number in hexadecimal format and

MD5=6717D534A44C9913FFFE9985EE7E933F:

• It “calls home” to “nx1.zappoworld.com”, which is based in the Netherlands.
• Error output from the file can be found in “c:\xcrashdump.dat”
• Files it hooks on are:
  • iexplore.exe
  • explorer.exe
  • services.exe
  • winlogon.exe
  • firefox.exe
  • opera.exe
• Functionality includes
  • HttpSendRequestA (call home)
  • CreateWindowExA (show information)
  • SetWindowsHookExA (log stuff, I suspect key logging)
  • UrlDownloadFileA (download more stuff to update it self, maybe)
  • CreateMutex (I guess so that only one instance runs)
  • WriteProcessMemory (don’t know, looks evil)
  • GetProcAddress (load what ever functionality from dlls, I couldn’t find LoadLibrary, however)
  • CreateRemoteThread (looks bad)
  • Process Management and file management
  • Registry functions
  • String handling, both from shell api and native, both ANSI and UNICODE
  • SetSecurityDescriptorDacl

MD5=69FEB378121DB99F80E15D597EC60124

• Lingvo9…

I couldn’t remove this virus. I might if I had the system CD, so that I could start up without starting the logon process (virus uses winlogon notifiers). Here is, however, some information in case people want to pursue this:

Functionality is in a dll named “__c00*.dat”, where the star is a number in hexadecimal format and

MD5=6717D534A44C9913FFFE9985EE7E933F:

• It “calls home” to “nx1.zappoworld.com”, which is based in the Netherlands.
• Error output from the file can be found in “c:\xcrashdump.dat”
• Files it hooks on are:
  • iexplore.exe
  • explorer.exe
  • services.exe
  • winlogon.exe
  • firefox.exe
  • opera.exe
• Functionality includes
  • HttpSendRequestA (call home)
  • CreateWindowExA (show information)
  • SetWindowsHookExA (log stuff, I suspect key logging)
  • UrlDownloadFileA (download more stuff to update it self, maybe)
  • CreateMutex (I guess so that only one instance runs)
  • WriteProcessMemory (don’t know, looks evil)
  • GetProcAddress (load what ever functionality from dlls, I couldn’t find LoadLibrary, however)
  • CreateRemoteThread (looks bad)
  • Process Management and file management
  • Registry functions
  • String handling, both from shell api and native, both ANSI and UNICODE
  • SetSecurityDescriptorDacl

MD5=69FEB378121DB99F80E15D597EC60124

• Lingvo9Netpatch from 2003
• LocalAlloc and VirtualAlloc (memory allocation functions without their freeing counterparts) #”¤#””¤ memory leaks?
• OpenFile
• C-runtime functions
• Looks sloppy written
• Not detected by any virus scanners I’ve tried!

Analysis done with FileAlyzer.

So, I’m off to support so they can wipe my machine. ¤#”%”#”!%”#¤@work.

Zappoworld.com…
Flashget.com catch url…

BTW, I found a nice hosts file at: http://mvps.org/winhelp2002/hosts.htm, http://mvps.org/winhelp2002/hosts.txt