The Knowledge Makers
| Products | Subscribe | Downloads| Register
| My Account
|Site Map |FAQ | Announcement | Articles |About Us |Contact Us | Login |
Search Us with google: Go back to articles list
|Revenge on the malware Smitfraud -C and Virtumonde - Amit K. Kulshreshtha (June 2007)|
My Story :
I had been noticing that my home computer running Windows XP was getting a tad irritating to work on, it had been a good boy for last 1 year, performing like a workhorse but lately it seemed lazy and laid back, maybe age had caught up with it, I thought.
Internet explorer would frequently perform an error and close down with the comforting message flashing in my face; something like "This application has performed an error and will be shutdown, inform your friendly neighborhood B. Gates about it" , windows explorer would at times freeze, and turn white or blank - kind of a look that I frequently see on my Boss's face when I explain my ideas to him.
The buttons on the status bar would either hang or keep flashing in their fancy hot orange color no matter how much I clicked, and switching applications would take a long time, long enough for me to twiddle my thumbs or drum with fingertips on the table; it was becoming hard to constrain the animal in me to lash out at the screen. I was fast evolving into an application psychopath with CTRL + ALT + DELETE becoming my favorite weapon to kill everything that hang and froze. My SpyBot teatimer regularly pestered me with requests for DLL installation. The Sherlock Holmes in me put it down to few reasons
1) I had become more impatient - Ruled out, I had become a patient (nut case) but definitely not impatient, didn't I watch the defragmentation colors bars sorting themselves out so lovingly for 45 minutes. But Defragmenting the hard drive did not help much, yes some programs did speed up.
2) Computer had become slow - but Why? Even re-installing windows XP as an upgrade only marginally improved the performance
3) Virus attack - could be, but then what was AVG doing - making friends with it or what?
4) Malware - Yeah this could be , wait but which one ? There had been only an occasional ad embedded in internet explorer coaxing me to buy Windows Anti Virus.
What did I do to identify the sneaky pests ?
I wanted to put a name to these culprits so that I could research them on the internet. SpyBot 1.4 it was, first I updated and immunized it, then searched the root directory and lo and behold some exotic tongue twisters like Smitfraud and Virtumonde tumbled out of hidden lair. Great! now SpyBot could easily swat them Correct? Wrong, Spybot could only delete their registry entries. It could not delete some files and wanted me to restart it again on reboot, I did and even after the reboot, it could remove only the registry entries but not the dll.
I tried a number of programs, including HijackThis, Trend's online virus scanner, Panda Software's online virus scanner, Symantec's FixVundo.exe and manual instructions but to no avail! Even SpyBot Search and Destroy's software, 1 occurrences of the VirtuMonde when actually there were 16.
So now was the time to swallow my pride as a self proclaimed computer genius and cry "HELP", and so I searched all over the net, downloaded solutions, studied forums, side tracked many websites offering a quick fix till finally I could find the right cocktail to banish these two to computer hell (they come from there anyway). I have up put a series of steps above and have given more stuff on these two below. Enjoy your killing!
More on VirtuMonde :
VirtuMonde was first reported in May of 2004. VirtuMonde is an adware program. Adware is a software that shows advertisements. It is resilient and widespread so much that three years later it is still infecting computers and that too with latest anti virus and spyware detection installed.
Virtumonde monitors your web browsing activities and then downloads and displays popup advertisements taking into account your surfing habits. VirtuMonde is a key logger and log every keystroke you type and also randomly displays advertisements. It will create a DLL (Dynamic Link Library) to record the keystrokes and send it to a parent site, putting ones personal and financial information at risk. VirtuMonde is also known as Virtumonde.C.
Virtumonde also attaches to explorer.exe, goes memory resident. If for some reason Virtumonde is stopped, the memory resident program will regenerate it.
Additionally, Virtumonde registers itself as LSP (Layered Service Provider), in order to harvest users' information about their connection, such as Internet usage, pages viewed, phone connection details, inventory of the applications installed in the computer.
Adware VirtuMonde also tries to reset your homepage inside your browser to some type of advertising page or portal. VirtuMonde then modifies the browser's code, trying to remove the 'General' tab in Internet Explorer to prevent you from reversing the changes.
In a nutshell
More on Trojan Smitfraud
It is a Malware ("malicious software") and endangers the security of individual PCs and networks. Smitfraud is a Trojan and is installed under deceptive pretenses without the user's full knowledge and consent. Smitfraud downloads rogue security products and changes the user's desktop to display false warnings that the computer is infected with spyware in order to frighten the user into paying for the program.
Smitfraud shows excessive pop-up messages, the creator of each popup is an affiliate, so each time an unsuspecting user purchases the advertised program in hope of removing the Trojan, the person behind the attack gets paid.
Smitfraud puts up ads for purchasing anti-spyware software, such as Adware Delete, PS Guard, AntivirusGold or Spy Sheriff, that supposedly detects adware on your computer but in turn are a malicious spying software. Furthermore, Smitfraud replaces some Windows critical components with own infected files. Smitfraud is a malicious spyware and may cause serious system instability issues.
This program installs itself through the Internet and creates new desktop wallpaper. This wallpaper looks like a Windows 98 / 2000 / XP blue screen and contains a warning that the computer is infected with viruses, that one should download run a virus scanner and that the computer wouldn't work in normal mode. In addition to this one gets a desktop icon leading to a pretended anti virus application named PS Guard. Scanning the computer with this software will return a virus found (that was installed by this software itself). In order to remove this virus one has to download the full and paid version.Another unpleasant effect of Smitfraud-C. is that some configuration options in the Control Panel will no longer be available. This way it stops the user from changing the wallpaper and forces him to keep the blue screen. Overall Smitfraud-C is a very sneaky software trying to sell PS Guard by frightening less experienced users.
What do malware do ?
Slow down computer : If your PC takes longer than usual to reboot or if your Internet connection is unusually slow, think malware
Add new desktop shortcuts or homepages: Malware can add new desktop shortcuts. Malware can redirect your default homepage to another web site.
Continuous pop ups : Offline or online Malware bombardment of popup ads continue . Malware track your financial and personal information.
A brief look at Malware / Spyware / Adware / Worm / Trojans
Adware is software designed to promote advertisements. Adware acts without your authorization or knowledge. Often, free utilities may install hidden adware, sometimes to earn money for the author to recover development costs. While adware is not always malicious, it can track your Internet activity and send this and other personal information from your computer to advertisers. When advertisers get this information, you may be a target for pop-up/pop-under advertisements, web browser toolbars, and spam.
Some adware may also fall under the category of spyware. Spyware or Trojan is any software or malware (”malicious software”) used to spy or track your computer activity. While some spyware is legitimately and intentionally installed by parents or employers to monitor Internet activity on a computer, spyware may be installed maliciously. Often spyware may come bundled with downloads of free software or come in the form of a cookie via a web site, and this spyware may track your Internet activity or may steal secret account usernames and passwords, credit card numbers, and other personal and financial information. They may also open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware.
How can you get Infected with VirtuMonde / Smitfraud?
Web browser’s security settings may be set much too low,
| Products | Subscribe | Downloads |Register | My Account |
Site Map| FAQ | Articles | Announcements |About Us | Contact Us | Login |