x
48h OFFER
If you're already a customer of
our homeusers protection,
renew now with a 50% off
RENEW NOW
x
SPECIAL OFFER
If you're already a customer of
our homeusers protection,
renew now with a 50% off
RENEW NOW
x
HALLOWEEN OFFER
take advantage of our
terrific discounts
BUY NOW AND GET A 50% OFF
x
CHRISTMAS OFFER
Buy the best antivirus
at the best price
BUY NOW AND GET A 40% OFF
x
SPECIAL OFFER
Buy the best antivirus
at the best price
BUY NOW AND GET A 50% OFF
x
BLACKFRIDAY OFFER
Buy the best antivirus
at the best price
TODAY ONLY UP TO 70% OFF
x
CYBERMONDAY OFFER
Buy the best antivirus
at the best price
(Only for homeusers)
TODAY ONLY UP TO 70% OFF
Active Scan. Scan your PC free
Panda Protection

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Virtumonde

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Virtumonde carries out the following actions:

  • It creates a library, which then is connected to the system process explorer.exe. By doing this, this library goes memory resident, and checks if Virtumonde is running. If not, then it is launched again.
  • It logs the keystrokes typed by the user.
  • It attempts to connect to an specific website in order to obtain miscellaneous information.
  • It displays advertising messages periodically.
  • It attempts to register itself as a Windows service.
  • It registers itself as LSP (Layered Service Provider) in order to harvest users' information about their connection, such as Internet usage, pages viewed, phone connection details, inventory of the applications installed in the computer, etc.

 

Note:

LSP (Layered Service Provider) is a Windows feature that is used to listen to all the TCP/IP traffic taking place between Internet and the applications that are accessing Internet (such as the web browser, the email client, etc.).

Within this structure, a number of programs are specified. Such programs will carry out certain actions over the TCP/IP traffic; for example, it could be specified a computer security program, which analyses the traffic in search for viruses or other threats before transferring it to the final application of the traffic.

However, this structure can also be used by adware and spyware programs, in order to intercept the communication across the Internet, and, what is worse, if they are deleted without taking precautions, the Internet connection will stop working indefinitely.

Infection strategy 

Virtumonde creates the following files:

  • _UPDATE.DAT in the Windows temporary directory. This file is a DLL (Dynamic Link Library).
  • A file with a random name and DLL extension in the following subfolders of the Windows directory:
    ADDINS, APPPATCH, ASSEMBLY, CONFIG, CURSORS, DRIVER CACHE, DRIVERS, FONTS, HELP, INF, JAVA, MICROSOFT, MICROSOFT.NET, MSAGENT, REGISTRATION, REPAIR, SECURITY, SERVICEPACKFILES, SPEECH, SYSTEM, SYSTEM32, TASKS, WEB, WINDOWS UPDATE SETUP FILES.

Virtumonde creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    SysUpd = %file%

    where %file% is the random name of an executable file created by Virtumonde.
    By creating this entry, Virtumonde ensures that it is run whenever Windows is started.
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon\ Notify\ %name-dll%
    where %name-dll% is the random name of the DLL created in the subfolders of the Windows directory, but without the DLL extension.
  • HKEY_CURRENT_USER\ Software\ Microsoft\ SysUpd

Means of transmission 

Spyware can be installed on computers in many different ways, including Trojans which install them without the users permission; when visiting web pages with certain ActiveX controls or code that exploits certain vulnerabilities; shareware or freeware applications downloaded from the Internet, etc.

Further Details  

Virtumonde is written in the programming language Visual C++ v7.10. This spyware is 307,200 bytes in size.

>