Win32/Adware.Virtumonde [Threat Name] go to Threat

Win32/Adware.Virtumonde.NEO [Threat Variant Name]

Category adware
Size 82384 B
Detection created Mar 23, 2009
Detection database version 3955
Aliases Win32:Vuku (Avast)
  Vundo.gen.ab.trojan (McAfee)
  Trojan:Win32/Vundo.gen!AM (Microsoft)
Short description

Win32/Adware.Virtumonde.NEO is an adware - an application designed for delivery of unsolicited advertisements. The adware is usually a part of other malware.

Installation

The adware does not create any copies of itself.


In order to be executed on every system start, the adware sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable%" = "rundll32.exe "%malwarefilepath%", b"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable%" = "rundll32.exe "%malwarefilepath%", b"

A string with variable content is used instead of %variable% .


The adware creates and runs a new thread with its own program code in all running processes.


The adware may create the following files:

  • %currentfolder%\­%malwarefilename%.ini
  • %currentfolder%\­%malwarefilename%.ini2
  • %currentfolder%\­%malwarefilename%.bak1
  • %currentfolder%\­%malwarefilename%.bak2
Other information

The adware acquires data and commands from a remote computer or the Internet.


The adware contains a list of (3) URLs. The HTTP protocol is used.


Win32/Adware.Virtumonde.NEO is an adware - an application designed for delivery of unsolicited advertisements.


When the user enters certain keywords into the browser, the adware displays adware websites related to them.


The following programs are affected:

  • Internet Explorer
  • Mozilla Firefox

The adware keeps various information in the following Registry keys:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­rdfa\­F]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­rdfa\­N]
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­rdfa\­F]
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­rdfa\­N]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­%variable%]
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­%variable%]
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­contim\­SysShell]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­contim\­SysShell]

The adware hooks the following Windows APIs:

  • memcpy (mozcrt19.dll)
  • PR_AtomicDecrement (nspr4.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.