vundo/virtumonde white paper

  • Thread starter Thread starter Lolo
  • Start date Start date
L

Lolo

Hi All,

Is there anybody who knows where i can find any white paper, research,
analysis on the vundo/virtumonde virus?

I'm doing a sort of document talking about this virus and i need information
about it.

Any comment or personal experience is welcome.

I need to know how users get infected, from which infected website they got
this virus so i can make like a diagram from the begining of the infection
until the pop-ups start asking to download antivirus software.

Thanks for your help
 
From: "Lolo" <[email protected]>

| Hi All,
|
| Is there anybody who knows where i can find any white paper, research,
| analysis on the vundo/virtumonde virus?
|
| I'm doing a sort of document talking about this virus and i need information
| about it.
|
| Any comment or personal experience is welcome.
|
| I need to know how users get infected, from which infected website they got
| this virus so i can make like a diagram from the begining of the infection
| until the pop-ups start asking to download antivirus software.
|
| Thanks for your help
|

To start your research...

The Vundo is a Trojan and not a virus.
The Virtumonde is classed as an adware Trojan.

One major infection vector is exploitation of vulnerabilities in Java.
 
Hi All,

Is there anybody who knows where i can find any white paper, research,
analysis on the vundo/virtumonde virus?

I'm doing a sort of document talking about this virus and i need information
about it.

Any comment or personal experience is welcome.

I need to know how users get infected, from which infected website they got
this virus so i can make like a diagram from the begining of the infection
until the pop-ups start asking to download antivirus software.

Thanks for your help
Click to expand...
My wife got one (AntiVirGear) through MySpace. She went to a user's page
and it said to install something to listen to a song. It didn't take but
a few seconds before a new toolbar to appear and the pop-ups to start.
What a chore it was to get rid of it. AdAware,Spybot,PestPatrol,MSAS
couldn't touch it. After several hours of scanning (should have known
better) I did some googling and found the only tool that worked-
Roguefix (run in safe-mode)

http://www.internetinspiration.co.uk/roguefix.htm
(notice PCButts thief warning)

max
 
From: "What's in a Name?" <[email protected]>


| My wife got one (AntiVirGear) through MySpace. She went to a user's page
| and it said to install something to listen to a song. It didn't take but
| a few seconds before a new toolbar to appear and the pop-ups to start.
| What a chore it was to get rid of it. AdAware,Spybot,PestPatrol,MSAS
| couldn't touch it. After several hours of scanning (should have known
| better) I did some googling and found the only tool that worked-
| Roguefix (run in safe-mode)
|
| http://www.internetinspiration.co.uk/roguefix.htm
| (notice PCButts thief warning)
|
| max

Sorry Max. That's the WRONG family.

The Vundo Trojan and Virtumonde Adware are part of the Winfixer family while you mention the
SmitFraud/Fakealert family.
 
From: "What's in a Name?" <[email protected]>


| My wife got one (AntiVirGear) through MySpace. She went to a user's page
| and it said to install something to listen to a song. It didn't take but
| a few seconds before a new toolbar to appear and the pop-ups to start.
| What a chore it was to get rid of it. AdAware,Spybot,PestPatrol,MSAS
| couldn't touch it. After several hours of scanning (should have known
| better) I did some googling and found the only tool that worked-
| Roguefix (run in safe-mode)
|
| http://www.internetinspiration.co.uk/roguefix.htm
| (notice PCButts thief warning)
|
| max

Sorry Max. That's the WRONG family.

The Vundo Trojan and Virtumonde Adware are part of the Winfixer family while you mention the
SmitFraud/Fakealert family.
Click to expand...
Figures,the poor 2nd cousin.......
 
Thanks for the info.

the funny thing here is that i can't really find a lot of info regarding
this trojan compare to some other families.
i found a lots of info about the end of the infection chain but nothing
about the begining.

thx
lolo
 
From: "Lolo" <[email protected]>

| Thanks for the info.
|
| the funny thing here is that i can't really find a lot of info regarding
| this trojan compare to some other families.
| i found a lots of info about the end of the infection chain but nothing
| about the begining.
|
| thx
| lolo
|

That's because malware researchers hold this information as "proprietary". The reason being
the anti malware specialist can NOT tip their hat on just how much is known.

Information I provided is public, generic, knowledge. I can't relaese further data. Sorry!
 
Thank you for your honest answer,
but i'm not asking for the whole thing, i'm asking for a point where to
start
i'll do the rest by myself.
cheers.
 
From: "Lolo" <[email protected]>

| Thank you for your honest answer,
| but i'm not asking for the whole thing, i'm asking for a point where to
| start
| i'll do the rest by myself.
| cheers.
|

I will tell you this...
The WinFixer family creators are now using Comodo Certificate Authority to digitaly sign
their malware. As of Today, I am sure Melih will revoke their certificate(s).

Reference:
"SetUp A Host"
89.18.181.x
Note: several nodes but probably not all.
 
Hey David,

Can we tell that the vundo is a french trojan family or from Russian
I would say russian isn't it?

Thx
 
From: "Lolo" <[email protected]>

| Hey David,
|
| Can we tell that the vundo is a french trojan family or from Russian
| I would say russian isn't it?
|
| Thx
|

Registrant:
Amaena
P.O. box1048
Chernigov, NA 14032
UA

Domain name: AMAENA.COM

Administrative Contact:
Hostmaster, Amaena (e-mail address removed)
P.O. box1048
Chernigov, NA 14032
UA
+380 96 381 4557
 
Back
Top