Win32/Adware.Virtumonde [Threat Name]

Detection created2004-10-06
World activity peak 2007-12-09 (6.42 %)
Short description

Win32/Adware.Virtumonde is an adware - an application designed for delivery of unsolicited advertisements. The adware is usually a part of other malware.

Installation

When executed, the adware copies itself in some of the the following locations:

  • %temp%\­%variable%.dll
  • %system%\­%variable%.dll)

A string with variable content is used instead of %variable% .


In order to be executed on every system start, the adware sets the following Registry entries:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "MSServer" = "rundll32.exe %malwarefilepath%,#1"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "MemoryManager" = "rundll32.exe "%malwarefilepath%", forkonce"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "MemoryManager" = "rundll32.exe "%malwarefilepath%", forkonce"
  • [HKEY_CLASSES_ROOT\­CLSID\­{97E86A6B-BB35-4E0D-99BC-E8253759E763}\­InprocServer32]
    • "(Default)" = "%malwarefilepath%"
    • "ThreadingModel" = "Both"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­ShellExecuteHooks\­{97E86A6B-BB35-4E0D-99BC-E8253759E763}]
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­Notify\­%malwarefilename%]
    • "Asynchronous" = 1
    • "DllName" = "%malwarefilename%"
    • "Impersonate" = 0
    • "Logon" = "o"
    • "Logoff" = "f

The adware creates and runs a new thread with its own program code in all running processes.


The adware may create the following files:

  • %workingdir%\­%malwarefilename%.tmp
  • %workingdir%\­%malwarefilename%.tmp2
  • %workingdir%\­%malwarefilename%.ini
  • %workingdir%\­%malwarefilename%.ini2
  • %workingdir%\­%malwarefilename%.bak
  • %workingdir%\­%malwarefilename%.bak1
  • %workingdir%\­%malwarefilename%.bak2

The following programs are terminated:

  • gcasServAlert.exe
Other information

The adware acquires data and commands from a remote computer or the Internet.


The adware contains a list of URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • uninstall itself

Win32/Adware.Virtumonde is an adware - an application designed for delivery of unsolicited advertisements.


When the user enters certain keywords into the browser, the adware displays adware websites related to them.


The following programs are affected:

  • Internet Explorer

The adware keeps various information in the following Registry keys:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Control Panel\­Settings\­Time]
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Installer]
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­aoprndtws]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­rdfa]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­aldd\­SysShell]

The adware hooks the following Windows APIs:

  • EnumProcessModules (psapi.dll)

The adware may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Session Manager\­PendingFileRenameOperations]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Session Manager\­PendingFileRenameOperations2]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "PrintDrive" = "%value%"
    • "WindowsService" = "%value%"
    • "SoundService" = "%value%"
    • "InfoData" = "%value%"
    • "WindowsUpdate" = "%value%"
    • "ui" = "%value%"
    • "Setup" = "%value%"
    • "Genuine" = "%value%"
    • "ApachInc" = "%value%"
    • "GPLv3" = "%value%"
    • "winehq.org" = "%value%"
    • "icq.com" = "%value%"
    • "MicrosoftStorage" = "%value%"
    • "WindowsSecurity" = "%value%"
    • "VirtualMemory" = "%value%"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "PrintDrive" = "%value%"
    • "WindowsService" = "%value%"
    • "SoundService" = "%value%"
    • "InfoData" = "%value%"
    • "WindowsUpdate" = "%value%"
    • "ui" = "%value%"
    • "Setup" = "%value%"
    • "Genuine" = "%value%"
    • "ApachInc" = "%value%"
    • "GPLv3" = "%value%"
    • "winehq.org" = "%value%"
    • "icq.com" = "%value%"
    • "MicrosoftStorage" = "%value%"
    • "WindowsSecurity" = "%value%"
    • "VirtualMemory" = "%value%"

Threat Variants with Description

Please enable Javascript to ensure correct displaying of this content and refresh this page.