TrustedSource™ Blog

New Vundo Trojan spotted in the wild

A new variant of the “Vundo” desktop hijacker trojan (a.k.a. “Virtumonde”) has been sighted. It is capable of phoning home and sending sensitive information about an infected system back to its servers in the Netherlands that belong to the Trojan’s authors.

Once the malware is executed, it drops a DLL using a random name into Windows’ system path. As soon as that happens, removal complicated as the DLL is capable of stopping security products and infecting several running processes, such as “winlogon.exe”. The malware is also ensured to be loaded automatically after reboot by modifying several Registry keys and it is able to download and execute further executable code.

The Trojan is believed to remotely detect if it is being run on a Virtual Machine, and may also remember infected machines this way: it does so by transferring the “C:\” drive’s hard disk serial number, which is bound to particular manufacturers, in an encoded form to its servers located in the Netherlands. If blacklisted ranges of serial numbers are detected on the remote site, the malware is then told to behave and not show any signs of its actual intent. Otherwise, if the infected system looks like a “real” system, a fake spyware alert is set as the Desktop’s background image, pretending a spyware infection and paradoxically offering a download that allegedly cleans the computer. The infected user has to pay for the so called “Rogue Anti-Spyware” product - and that’s where the money is getting into the malware game.

The Secure Anti-Malware Engine protects its customers from this threat by proactively blocking the malware as “Win32.Malware.gen”.

Back to TrustedSource™ Blog overview