Discovered: November 20, 2004Updated: March 17, 2010 10:38:59 PMType: TrojanInfection Length: VariesSystems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Vista, Windows XP Trojan.Vundo is a Trojan horse that downloads files and displays pop-up advertisements. It is known to be distributed through spam email, peer-to-peer file sharing, drive-by downloads, and by other malware.
Infection
Trojan.Vundo, also known as VirtuMonde, VirtuMundo, and MS Juan, typically arrives by way of spam email or is hoisted onto the user’s computer by a drive-by download that exploits a browser vulnerability. The Trojan may also be downloaded via file-sharing networks, with the malicious executables having been given innocuous names to trick users into running them.
Trojan.Vundo may also be downloaded by other malware. The mass-mailing worms
W32.Ackantta.B@mm and
W32.Ackantta.C@mm are known to download variants of this threat family on to compromised computers. Increased levels of infection of these worms has been seen to result in an increase in the number of Trojan.Vundo infections.
Functionality
Trojan.Vundo was designed as a means for displaying advertisements on the compromised computer. The Trojan includes functionality to display pop-ups and is additionally capable of injecting advertisements into search results.
The advertisements and pop-ups that are displayed include those for fraudulent or misleading applications; intrusive pop-ups, fake scan results, and so-called alerts that masquerade as being from legitimate security software appear on the desktops of compromised computers in an attempt to frighten users into clicking buttons for 'further information'. The advertisements generally link to sites offering non-functional (or occasionally outright harmful) programs that purport to be capable of ridding the computer of non-existent malware in return for a fee payable by credit card.
Advertisements for adult Web sites and services may also be displayed by the threat.
In order to make it more difficult to remove, Trojan.Vundo also lowers security settings, prevents access to certain Web sites, and disables certain system software. Some variants attempt to disable antivirus programs.
Recent Trojan.Vundo variants have more sophisticated features and payloads, including rootkit functionality, the capability to download misleading applications by exploiting local vulnerabilities, and extensions that encrypt files in order to extort money from the user.