Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!


From Malware Wiki
Jump to: navigation, search

MultipleIssues.png This page has multiple issues. These issues most likely include issues with references and manual of style violations. Please help Malware Wiki by correcting these issues.

PopUp Trojan.Vundo.png
DateAugust 20th, 2004
PlatformMicrosoft Windows
File TypeWin32 PE executable (.EXE)
This box: view  talk  edit

Vundo, or the Vundo Trojan (also known as Virtumonde or Virtumondo and sometimes referred to as MS Juan) is a trojan on Microsoft Windows that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook.


Vundo infects victims' computers by exploiting a vulnerability in Sun Java (aka Version 5.0 release 7) and earlier versions.<ref>Sun Microsystems Sun Alert Solution 200106 : Security Vulnerabilities in the Java Runtime Environment may Allow Untrusted Applets to Elevate Privileges and Execute Arbitrary Code</ref> An update to Java is a necessary step in the removal of Vundo. Many of the popups advertise fraudulent programs including (but not limited to) Sysprotect, Storage Protector, AntiSpywareMaster, WinFixer, and AntiVirus 2009. There are two main components to the Virtumonde.dll file: Browser Helper Objects and Class ID. Each of these components are in the Windows Registry under Local Machine, and the file names are dynamic. It attaches to the system using bogus Browser Helper Objects and DLL files attached to Winlogon and Explorer.exe. Some recent variants have begun attaching to lsass.exe instead of winlogon.exe.<ref>SuperMWindow - A New Vundo.</ref> According to Spybot - Search & Destroy scans, there are two Virtumonde.prx files and one Virtumonde.dll file located in the Windows Registry as well as the system32 directory.<ref>Spybot S&D Analysis Scan</ref>

Method of Infection

  • Vundo is often bundled with cracked software and key generators. Some variants spread through LimeWire.
  • Vundo is known to be spread by Web sites that exploit known vulnerabilities in Web browsers and their associated plugins.
  • Vundo can spread through fake codecs.


Computers infected exhibit some or all of the following symptoms:

  • Vundo will cause the infected web browser to pop up advertisements; many of which claim a need for software to fix the system
  • The desktop background is changed to the image of an installation window claiming there is adware on the computer.
  • The screensaver is changed to the Blue Screen of Death.
  • In the Display Properties Control Panel, the background and screensaver tabs are missing because their "Hide" values in the Registry were changed to 1.
  • Both the background and screensaver are in the System32 folder. However, the screensaver cannot be deleted.
  • Windows Automatic Updates (and other web-based services) may also be disabled and it is not possible to turn them back on.
  • Infected DLLs (with randomized names such as "__c00369AB.dat" and "slmnvnk.dll") will be present in the Windows/System32 folder and references to the DLLs will be found in the user's startup (viewable in MSConfig), registry, and as a browser add ons in Internet Explorer.
  • Vundo may attempt to prevent the user from removing it or otherwise impede its operation, such as by disabling the task manager or Windows registry editor and disables MSConfig, preventing the user from booting into safe mode.
  • Some firewalls or antivirus software may also be disabled by the virus leaving the system even more vulnerable. It especially disables Norton AntiVirus and in turn uses it to spread the infection. Norton shows prompts to enable phishing filter, all by itself. Upon pressing OK, it tries to connect to real-av.org and try to download more malware.
  • Another symptom of Vundo may be that the desktop icons and taskbar will disappear and reappear after a short period. This becomes very frustrating for the user, as starting processes are automatically aborted.
  • In addition, popular anti-Malware programs such as Spybot - Search & Destroy or Malwarebytes' Anti-Malware may be deleted or immediately closed upon loading; on one recently infected machine the "TeaTimer" component of Spybot Search and Destroy was deleted between reboots. A workaround is to copy or rename the executable, giving it a random name, and selecting the option to run in Windows 2000 Compatability mode; this bypasses the automatic shutdown defenses of Vundo, allowing the scan to run.
  • Web access may also be negatively affected. Vundo may cause many websites to be inaccessible.
  • The hard drive may start to be constantly accessed by the Winlogon process, thus periodic freezes may be experienced.
  • Warnings about SuperMWindow not shutting down.<ref>SuperMWindow - A New Vundo.</ref>
  • Explorer.exe may constantly crash resulting in an endless loop of crashing then restarting.
  • Creates a virus critical driver in C:\Windows\system32\drivers (ati0dgxx.sys).
  • The virus can "eat" away at available hard drive space; hard drive space can fluctuate so much as +3 to -3 Gb of space, evident of Vundo's attempt at "hiding" when being antagonized.
  • Vundo can impede download progress.
  • Entering safe mode after attempting to use HijackThis results in a true blue screen of death, which cannot be recovered from without either restoring the deleted safe mode registry keys, or a reinstall of Windows.
  • Sometimes gives a "Run a DLL as an APP" error when some of the randomly named DLLs have been deleted.
  • Will rewrite randomly named DLLs while any of them reside on the machine.
  • Changes \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and RunOnce entries to start itself when Windows starts.
  • Installs adware that sometimes is pornographic.
  • Installs rogue security software such as Desktop Defender 2010 and MS Antivirus with a voice .wav file telling the user that their system is infected.
  • Will cause the network driver to be corrupt which even after going into Registry Editor (regedit.exe) to delete Winsock 1 and 2 and trying to reinstall the driver is virtually impossible.
  • Deletes the network connection under My Network Places.


On infected systems, there is usually a listing for "MS Juan" inside of the registry. This registry key causes a browser hijack, disallowing navigation to certain sites. There will be an entry listing the search page, which also calls upon a random Windows DLL file, causing the search functions on that site to fail. Google searches are disabled, as is access to Hotmail, Gmail, MySpace, and Facebook. Said pages usually become unresponsive.


Most antivirus programs are not able to block this infection; however, it is possible to block many variants of Vundo with Malwarebytes Anti-Malware or SUPERAntiSpyware.

Spybot - Search & Destroy is able to block generations of Vundo that are older than Trojan.Vundo.F. Some modern variants of Vundo can exploit the presence of Spybot Search & Destroy by infecting TeaTimer.exe, a program that is bundled with Spybot.

See also



External links