Virtumonde carries out the following actions:
- It creates a library, which then is connected to the system process explorer.exe. By doing this, this library goes memory resident, and checks if Virtumonde is running. If not, then it is launched again.
- It logs the keystrokes typed by the user.
- It attempts to connect to an specific website in order to obtain miscellaneous information.
- It displays advertising messages periodically.
- It attempts to register itself as a Windows service.
- It registers itself as LSP (Layered Service Provider) in order to harvest users' information about their connection, such as Internet usage, pages viewed, phone connection details, inventory of the applications installed in the computer, etc.
LSP (Layered Service Provider) is a Windows feature that is used to listen to all the TCP/IP traffic taking place between Internet and the applications that are accessing Internet (such as the web browser, the email client, etc.).
Within this structure, a number of programs are specified. Such programs will carry out certain actions over the TCP/IP traffic; for example, it could be specified a computer security program, which analyses the traffic in search for viruses or other threats before transferring it to the final application of the traffic.
However, this structure can also be used by adware and spyware programs, in order to intercept the communication across the Internet, and, what is worse, if they are deleted without taking precautions, the Internet connection will stop working indefinitely.
Virtumonde creates the following files:
- _UPDATE.DAT in the Windows temporary directory. This file is a DLL (Dynamic Link Library).
- A file with a random name and DLL extension in the following subfolders of the Windows directory:
ADDINS, APPPATCH, ASSEMBLY, CONFIG, CURSORS, DRIVER CACHE, DRIVERS, FONTS, HELP, INF, JAVA, MICROSOFT, MICROSOFT.NET, MSAGENT, REGISTRATION, REPAIR, SECURITY, SERVICEPACKFILES, SPEECH, SYSTEM, SYSTEM32, TASKS, WEB, WINDOWS UPDATE SETUP FILES.
Virtumonde creates the following entries in the Windows Registry:
- HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
SysUpd = %file%
where %file% is the random name of an executable file created by Virtumonde.
By creating this entry, Virtumonde ensures that it is run whenever Windows is started.
- HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon\ Notify\ %name-dll%
where %name-dll% is the random name of the DLL created in the subfolders of the Windows directory, but without the DLL extension.
- HKEY_CURRENT_USER\ Software\ Microsoft\ SysUpd
Means of transmission
Spyware can be installed on computers in many different ways, including Trojans which install them without the users permission; when visiting web pages with certain ActiveX controls or code that exploits certain vulnerabilities; shareware or freeware applications downloaded from the Internet, etc.
Virtumonde is written in the programming language Visual C++ v7.10. This spyware is 307,200 bytes in size.>