태터데스크 관리자

도움말
닫기
적용하기   첫페이지 만들기

태터데스크 메시지

저장하였습니다.

'Vundo'에 해당되는 글 1건

  1. 2007.12.06 Virtumonde/Vundo goes file infector
신종악성코드정보2007.12.06 08:46


Roel December 05, 2007

Over the last couple of days I've been looking at some of the latest tricks used by the creators of some adware - Virtumonde a.k.a Vundo. Virtumonde is notoriously hard to remove from an infected machine and with a new infection vector added, the program's got even tricksier.
The authors are now using file infection so Virtumonde checks which files run at Windows startup and tries to infect them. Effectively this means that Virtumonde turns the original host file into a Trojan-Dropper.

Dropper code is prepended to the original host file, with a copy of Virtumonde being appended to the same file. When the infected file is launched it drops the original host file to %temp% and the Virtumonde file to the system directory.

Although Virtumonde is using an infection marker to prevent re-infecting the same file over and over again, this doesn't always work. There are samples of already infected files being re-infected and the host file then won't run. However, re-infection doesn't prevent Virtumonde itself from running.

Because this code is self-replicating we're dealing with a classic prepending virus. Unlike some other adware we've blogged about that uses a similar approach, this isn't a Patcher Trojan.

This new trick from the Virtumonde authors is pretty easy to detect and disinfect. (We detect it as Virus.Win32.Trats.a). Although this variant didn't cause any headaches from a technical point of view, we can expect some interesting challenges if Virtumonde continues to evolve.

Posted by viruslab
TAG

댓글을 달아 주세요