Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:ADSPY/Virtumonde.B
Date discovered:14/06/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:47.629 Bytes
MD5 checksum:5b00c4a26bfb132b7c5b8692949d227b
VDF version:6.35.00.23
IVDF version:6.35.00.29 - Thursday, June 15, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: not-a-virus:AdWare.Win32.Virtumonde.by
   •  TrendMicro: TROJ_VUNDO.BC
   •  Bitdefender: Trojan.Virtumod.T


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a file
   • Drops a malicious file
   • Third party control

 Files It deletes the initially executed copy of itself.



The following files are created:

%SYSDIR%\%seven-digit random character string%.dll Further investigation pointed out that this file is malware, too. Detected as: ADSPY/Virtumonde.B

%TEMPDIR%\removalfile.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.

 Registry The following registry keys are added:

[HKCR\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32]
   • @="%SYSDIR%\%seven-digit random character string%.dll"
   • "ThreadingModel"="Both"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   ShellExecuteHooks]
   • "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   vtutrrq]
   • "Asynchronous"=dword:00000001
   • "DllName"="%seven-digit random character string%"
   • "Impersonate"=dword:00000000
   • "Logon"="Logon"
   • "Logoff"="Logoff"

 Backdoor Contact server:
All of the following:
   • http://82.98.235.63/cgi-bin/check/**********
   • http://85.12.25.**********

As a result it may send information and remote control could be provided.

Sends information about:
     Current malware status


Remote control capabilities:
     Download file

 Injection –  It injects the following file into a process: %SYSDIR%\%seven-digit random character string%.dll

    All of the following processes:
   • explorer.exe
   • WINLOGON.EXE


 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.


Hides the following:
– Its own files

Description inserted by Marius T. Nicolae on Wednesday, September 6, 2006
Description updated by Andrei Ivanes on Tuesday, December 5, 2006

Back . . . .