Virtumondo/Virtumundo – virus hunt, continued
I couldn’t remove this virus. I might if I had the system CD, so that I could start up without starting the logon process (virus uses winlogon notifiers). Here is, however, some information in case people want to pursue this:
Functionality is in a dll named “__c00*.dat”, where the star is a number in hexadecimal format and
MD5=6717D534A44C9913FFFE9985EE7E933F:
- It “calls home” to “nx1.zappoworld.com”, which is based in the Netherlands.
- Error output from the file can be found in “c:\xcrashdump.dat”
- Files it hooks on are:
- iexplore.exe
- explorer.exe
- services.exe
- winlogon.exe
- firefox.exe
- opera.exe
- Functionality includes
- HttpSendRequestA (call home)
- CreateWindowExA (show information)
- SetWindowsHookExA (log stuff, I suspect key logging)
- UrlDownloadFileA (download more stuff to update it self, maybe)
- CreateMutex (I guess so that only one instance runs)
- WriteProcessMemory (don’t know, looks evil)
- GetProcAddress (load what ever functionality from dlls, I couldn’t find LoadLibrary, however)
- CreateRemoteThread (looks bad)
- Process Management and file management
- Registry functions
- String handling, both from shell api and native, both ANSI and UNICODE
- SetSecurityDescriptorDacl
MD5=69FEB378121DB99F80E15D597EC60124
- Lingvo9…
I couldn’t remove this virus. I might if I had the system CD, so that I could start up without starting the logon process (virus uses winlogon notifiers). Here is, however, some information in case people want to pursue this:
Functionality is in a dll named “__c00*.dat”, where the star is a number in hexadecimal format and
MD5=6717D534A44C9913FFFE9985EE7E933F:
- It “calls home” to “nx1.zappoworld.com”, which is based in the Netherlands.
- Error output from the file can be found in “c:\xcrashdump.dat”
- Files it hooks on are:
- iexplore.exe
- explorer.exe
- services.exe
- winlogon.exe
- firefox.exe
- opera.exe
- Functionality includes
- HttpSendRequestA (call home)
- CreateWindowExA (show information)
- SetWindowsHookExA (log stuff, I suspect key logging)
- UrlDownloadFileA (download more stuff to update it self, maybe)
- CreateMutex (I guess so that only one instance runs)
- WriteProcessMemory (don’t know, looks evil)
- GetProcAddress (load what ever functionality from dlls, I couldn’t find LoadLibrary, however)
- CreateRemoteThread (looks bad)
- Process Management and file management
- Registry functions
- String handling, both from shell api and native, both ANSI and UNICODE
- SetSecurityDescriptorDacl
MD5=69FEB378121DB99F80E15D597EC60124
- Lingvo9Netpatch from 2003
- LocalAlloc and VirtualAlloc (memory allocation functions without their freeing counterparts) #”¤#””¤ memory leaks?
- OpenFile
- C-runtime functions
- Looks sloppy written
- Not detected by any virus scanners I’ve tried!
Analysis done with FileAlyzer.
So, I’m off to support so they can wipe my machine. ¤#”%”#”!%”#¤@work.
Zappoworld.com…
Flashget.com catch url…
BTW, I found a nice hosts file at: http://mvps.org/winhelp2002/hosts.htm, http://mvps.org/winhelp2002/hosts.txt
Trending Now
You must log in to post a comment.