Virtumonde is a spyware program that creates a DLL (Dynamic Link Library), which logs keystrokes and connects to a certain web page, in order to obtain miscellaneous information and display advertising messages periodically. Virtumonde connects the DLL it creates to the system process explorer.exe. By doing this, it goes memory resident, and checks if Virtumonde is currently running. If not, Virtumonde is launched again. Additionally, Virtumonde registers itself as LSP (Layered Service Provider), in order to harvest users' information about their connection, such as Internet usage, pages viewed, phone connection details, inventory of the applications installed in the computer, etc. Spyware can be installed with the user consent and awareness, but sometimes it is not. The same happens with the knowledge or lack of knowledge regarding data collected and the way it is used. Note:
LSP (Layered Service Provider) is a Windows feature that allows to specify a number of programs, in order to process all the TCP/IP traffic taking place between Internet and the applications that are accessing Internet (such as the web browser, the email client, etc.). For example, it could be specified a computer security program, which analyses the traffic in search for viruses or other threats before transferring it to the final application of the traffic. However, this structure can also be used by adware and spyware programs, in order to intercept the communication across the Internet, and, what is worse, if they are deleted without taking precautions, the Internet connection will stop working indefinitely. |