Fixing Vundo Virtumonde Trojan

Posted by cfaulkner on June 23, 2008

Panda Antivirus + Firewall 2008 – $10 Discount Coupon

Fixing Vundo Trojan

A Real World Perspective

December 26th, 2007 –Chris Faulkner (cfaulkner70@gmail.com)

Scroll Down to the very bottom for questions answered by email:

If this tutorial has helped you in any way or have questions, please Email me. I’d love to hear from you!

Updated Information at the bottom: January 15th, 2008

Removal of the Vundo Trojan requires Old School brain work mixed with a little new school savvy. Vundo is particularly tricky to remove because is has a tendency to lock files it needs to replicate. This Trojan has hit my systems quite a few times. I’ve looked on various websites like Symantec and McAfee and even the main Virus database and while I was able to pick up clues on what i’d find, I kept falling short of a tangible cure for this malicious and very annoying Trojan.

What I found in my journey with this particular trojan is that no matter what you do, no matter what Anti-Virus program you have, no matter what browser you are using (IE, Firefox, etc), it can still infect your computer and it does so through one avenue. That is Javascript, and I'm not saying to delete Java from your computer because it's evil. There is an exploit in older versions of Java that will allow Vundo to do as it pleases and the only vaccine for it is to just update your Java SDK. Simple enough? Sure, but it goes a little further than that… Especially if you are already infected. Here is what a typical start of infection might look like:

Looks harmless enough right? Not at all. While Vundo itself is a mere annoyance, if you do not pay the people X amount of dollars, Vundo invites some friends into your computer that you may not want. This is the problem that is plaguing the internet at the moment. For one, this trojan has quite a few variants because the source code to it is all over the place so programmers, even amateur programmers, can change the code and compile it in just a few minutes; thus completing another variant. Also MySpace ads and addons people use to spiff up their MySpace sites contain these JavaScript exploits and just viewing these sites will infect your computer.

The problem with initial infection is this. The images above represent what you see the moment you are about to be infected. Ok great, you know about this and you know you don't want it so what do you do, you click 'Cancel'. Guess what, 'Cancel' is not really 'Cancel', it is actually an 'Ok' button. You can actually hit Alt-F4 to 'Hard Cancel' this window when it pops up. Wow, you know you hit cancel and the tech guy that comes over to reload your operating system is going to tell you to "stop looking at porn sites" and basically make you feel like a buffoon. In this tutorial, I will explain to you in immense detail how you can detect (even the variants with simplicity) and all the tools i've used. Every tool that I have used in this tutorial is Free, the only thing that this will cost is your time. I will try to lay this all down as 'Big Bird Style' so if you get offended, that's not my problem.

First of all, we have to figure out where this Trojan is starting from. Viruses and Trojans all start from the same general area. First and foremost, you have to understand how a Windows PC boots up (Linux boots up a little differently, but if you run linux, this tutorial is not needed.. LOL), here we go:

Step1: Power applied and tested, ROM Bios starts that gives minimal configurations to any start up peripherals namely the screen and keyboard only. Then, it looks for CMOS RAM for the boot device. Finally, after a successful boot device is found, it pulls the MBR (Master Boot Record) from that device and then is transferred to RAM.

Step2: Actual OS Boot Sequence begins. The boot loader looks for a file on the system partition called 'NTLDR' which is a hidden file. This will load Windows in 4 stages. 1) Initial Boot Loader, 2) Operating System Selection 3) Hardware Detection 4) Configuration Selection.

Step3: NTLDR looks for a file called "BOOT.INI" and from there gleans information on how to initially load up XP. Then, NTDETECT.COM collects a list of installed hardware on you system, saves a temporary file with that list and will later include that list in the final part of the boot up sequence.

Step4: During the loading of the actual Kernel of XP, NTLDR is still in control of the computer. At this time the NTLDR is loading the HAL.DLL (Hardware Abstraction Layer) file. HAL.DLL is a subset program that keeps the kernel separate from the hardware.

Step5: Every piece of driver software for all of your hardware is saved in the Registry so NTLDR checks to see (HKEY_LOCAL_MACHINE\SYSTEM\Services) if those devices are allowed to start up or be disabled upon boot.

Step6: SMSS (Session Manager Subsystem) runs in User mode but not exactly. It is run as a Trusted core component to the OS and is allowed executive functions to be passed around. This allows the graphics subsystem and login processes.

Step7: SMSS then loads win32k.sys to bring the graphics subsystem up completely, the drivers are all initialized, and NTLDR makes a copy of the current configuration and it is saved as 'Last Known Good Configuration'.

Step8: NTLDR then hands off the torch to the kernel and WINLOGIN.EXE is presenting you with a dialog for you to Log In.

OK, if we understand this simple process, there is actually a few moments in there that something can be slipped in, while in others, nothing can be slipped in. So in order to figure this Vundo Trojan out, we need to figure out where the moment in these steps is that Vundo actually becomes active. I like to go straight for the Root of the problem instead of handling the leaves, that's why this Removal of Vundo is very aggressive.

First, we need to go into RegEdit (Start, Run, and type 'RegEdit')

Navigate to the RegKey:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa

The picture above is a real world example from my last Vundo removal. See the highlighted key, Authentication Packages? See anything strange? yea. This is our moment of impact, when Vundo loads itself and replicates if
files it finds are not there. This seems too easy doesn't it? Actually, it is. What we are going to do at this point is just jot down the file and where it's located. In this example,
c:\WINDOWS\system32\awtqr.dll is the file we want to remove. Also, go into Start > Run> MSCONFIG, go to the startup tab and disable all non-essential boot up programs, or just disable them all. Then, We need to get a Burned copy of Ultimate Boot CD, and boot to this cd. We want to remove the affected file. After removing the file, check to see if there is anything else named the same but with a different extension. Delete it too. Now, in notepad, create a tiny text file and name it the same thing as the dll or exe we just removed. Right click on the file and select properties and make it a read only file. Reboot. When Windows comes back up, you may have a sleugh of errors. Ignore these for now.

Now, one final cleanup and check is we use a tool called "Security Task Manager" to check for rogue processes that still maybe hooked into the system. This program checks and scans for any DLL's that maybe lingering due to Internet Explorer plugins you don't want running. When Security Task Manager is running, be sure to check for these BHO's shown as DLL files and then make sure they are removed from loading when you start up Internet explorer. A Good, but long way, to remove any addons on startup of IE is to go back into RegEdit and navigate to the key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings. Underneath this key are CLSID, for this we have to go into HKEY_CLASSES_ROOT to determine what each CLSID is and delete it, or if you feel ballsy enough, load up Internet Explorer and goto Tools, Manage Addons and disable the addons there. (I disable addons even if they are legitimate like yahoo toolbar and google toolbar, etc not because they are malicious, but to save memory and load times). From here, reboot your computer and proceed to check the RegEdit again with the key of "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa" to see if anything is still behind 'msv1_0'.

Lastly, download a program called "CCleaner (Crap Cleaner)". Install it (Make sure on the 4th or 5th page of installing that you Untick the 'Install Yahoo Toolbar' as we don't want any more toolbars, LOL). Run CCleaner, on the lower right, click 'Run Cleaner' and proceed with the cleanup. Then, after that is done, click on the Registry on the left side and then click the 'Scan for Issues' button, this will take a few moments, after it's done scanning, click the 'Fix Selected Issues' button and finish that out. Run Security Task Manager again to see if anything else malicious is running. After this, you should have a clean system. Any questions? Email me cfaulkner70@gmail.com

–Notes about Author: Chris Faulkner has been involved with computers since 1980. He has also worked for Dell, HP and Numerous Banks specializing in Windows and Linux Security. If you have any questions, feel free to email him.

Questions answered via email:

Q: When I try to go into RegEdit, I get RegEdit has been disabled by Administrator?

A: If you are running Windows XP Home, follow this link http://support.microsoft.com/?kbid=290109 And do the steps under More Information. If you are running Windows XP Pro, at the Login screen, hit Control-Alt-Delete Twice to bring up another login screen, Username: Administrator Password: Blank/Empty/Nothing If this does not log you on, then someone has set the Administrator account with a password and the only way to get that is some other method.

Update:

Had another Vundo Trojan hit my wife’s laptop. It appears as though this was incomplete. The problem here is we also need to find a way to get onto the hard drive without loading the operating system. This is where BartPE or ERD Commander comes in handy. Something like Ultimate Boot CD would come in handy. Once after you find out in Regedit on the Lsa string what DLL or Exe is being loaded, Boot into the Ultimate Boot CD and delete that DLL or EXE. Also, case in point, on my Wife’s laptop, she had geebx.dll being loaded into LSASS on startup. There was also a file called geebx.exe. I deleted both of these files, then I went into Notepad and recreated both geebx.dll and geebx.exe and made them read only. This kept any other files from re-writing the Parent files. Also, I had some difficulty with relogging back in as it had rewritten googletalk.exe to read googletalk .exe (extra space before the .exe) and a few other files like this as well like qttask.exe. Basically in that situation is I create another user in Control Panel, and copy all important documents out of affected User to a backup folder like C:\BACKUP and use the other Username.

Other Variants of the DLL’s are:

AWTQO.DLL GEEDE.DLL VTUTR.DLL GEEBB.DLL GEBYW.DLL PMNLM.DLL TUVUT.DLL JKHFF.DLL MLLJK.DLL
HGDDE.DLL JKKLM.DLL VTUTS.DLL AWTQN.DLL MLJJI.DLL VTURP.DLL VTSQQ.DLL DDABY.DLL MLJHF.DLL
GEBYY.DLL VTSTQ.DLL QOMJG.DLL PMNNL.DLL SSTTS.DLL URQPP.DLL VTSQP.DLL DDCCA.DLL AWVVW.DLL
HGDBX.DLL GEEDB.DLL JKHHF.DLL GEBCB.DLL VTUTQ.DLL DDCYV.DLL FCCBC.DLL VTSTS.DLL BYXYV.DLL
DDABA.DLL DDCYY.DLL PMKKL.DLL CBXXY.DLL AWTSR.DLL MLLJH.DLL KBDPAT.DLL VJNI.DLL EFEEF.DLL
GEBCD.DLL NISYI.DLL NNLLI.DLL SSQPM.DLL AWVTQ.DLL MLJGD.DLL IIIHG.DLL WINSC32.DLL YABAA.DLL
DDCCD.DLL MLLMK.DLL AWVTS.DLL IIIFE.DLL JKKJJ.DLL RQRRO.DLL VTURS.DLL SSQPP.DLL AWTQP.DLL
AWVVS.DLL OPNKL.DLL GEBYA.DLL GEBCA.DLL JKHHG.DLL JKKJH.DLL AWTQQ.DLL SSTTU.DLL PMKHH.DLL
DDABB.DLL SSTTR.DLL MLLJI.DLL JKHFD.DLL FCCDB.DLL JKHFG.DLL VTURR.DLL GEBYX.DLL URSRR.DLL
GEEBX.DLL PMKHG.DLL YAYYY.DLL JKKJK.DLL PMNNN.DLL DDCCC.DLL MLJGH.DLL JKKLJ.DLL TUVUV.DLL
LJJGD.DLL JKHFE.DLL IIIIF.DLL DDCYW.DLL PMNKJ.DLL VTSQO.DLL EFEBC.DLL MLJGF.DLL FCCAW.DLL
WVURQ.DLL VTSPQ.DLL PMKLI.DLL HGDEE.DLL MLLMJ.DLL URQOL.DLL HGGGE.DLL TUVWV.DLL TUVWVVV.DLL
HGGGF.DLL YAYXYYY.DLL QOMNKKL.DLL WVUTTRS.DLL XXYWUVU.DLL XXYXUSQ.DLL IIFFCAX.DLL
QOMMNOL.DLL GEBBXVS.DLL VTUSRSS.DLL SLGUARD.DLL KHHEB.DLL WVUVWTQ.DLL VTUTT.DLL MLJIIFE.DLL
VTUVU.DLL JKHIJ.DLL HGGHGHH.DLL OPNKK.DLL MLJKLIH.DLL DDCAXWU.DLL AWTTROM.DLL VTUUR.DLL
QOMLK.DLL PMKIJ.DLL FCCDEBA.DLL NNLMJ.DLL WVUVTRP.DLL HGGHHGG.DLL EFCDCYW.DLL MLJIIJG.DLL
GEEDA.DLL YAYYYXY.DLL JKKIGGH.DLL SSQRP.DLL IIFFEEF.DLL MLJHIFC.DLL SSQNNKJ.DLL LJJIGHH.DLL
IIFGEBA.DLL QOMJI.DLL FCCCBXX.DLL EFCDAYV.DLL RDTPTVPK.DLL TUVTUUS.DLL CBAXW.DLL QOMMM.DLL
MLJHE.DLL KHFEBXW.DLL WVUSQ.DLL CBXWUTQ.DLL BYXXUVU.DLL URQQOML.DLL TUVWXUV.DLL PMNLJIG.DLL
GEBAWTR.DLL MLJGECA.DLL KHFGHFF.DLL CBXYY.DLL EFCYYXY.DLL EFCDB.DLL PMNLI.DLL BYXUVUT.DLL
VTUVSQR.DLL FCCAYXV.DLL GEBBCDB.DLL SSQNOPN.DLL OPNKKKJ.DLL SSQPONO.DLL HGGHGGH.DLL
URQRQOO.DLL VTUTUUT.DLL URQNNNO.DLL LJJGGFC.DLL KHFFEEF.DLL YAYYYVT.DLL XXWTS.DLL VTUST.DLL
VTUTSRR.DLL BYVUS.DLL GEBAAYX.DLL MLJHFCC.DLL BYXVSTU.DLL LJJIHFD.DLL LJJHFGD.DLL
XXYWUTU.DLL LJJJI.DLL FCCAX.DLL IIFGDCD.DLL AWTSTTT.DLL PMNNLMK.DLL FCCYYWU.DLL AWTRQPQ.DLL
WVUTRSR.DLL VTUVSST.DLL JKKKKIF.DLL IIFFDBA.DLL BYXURSP.DLL HGDAW.DLL TUVSRQP.DLL AWTUROL.DLL
MLJKHGG.DLL EFCAXXV.DLL VTUSTQQ.DLL DDCDA.DLL VTUVTUS.DLL LJJJK.DLL NNNMJIF.DLL OPNNKIH.DLL
LJHIJ.DLL IIFEEFG.DLL FCCCCAW.DLL NNNOLIH.DLL BYXWTQQ.DLL XXYAAWW.DLL IIFCBCA.DLL LJJJJGE.DLL
OPNONNO.DLL WVURSTU.DLL OPPNO.DLL JKKKJJH.DLL TUVTTUV.DLL AWTRPQR.DLL EFEEC.DLL XXYYY.DLL
VTURPQR.DLL NNNMKLM.DLL WVWUV.DLL VTUUVVT.DLL NNNMJHF.DLL IIFGHFE.DLL VTSRR.DLL DDAYX.DLL
VTSSS.DLL FCYXX.DLL MLJJJKL.DLL WVUVWTT.DLL BYXXXVV.DLL FCCCYXX.DLL LJJGHEC.DLL TUVSQ.DLL
JKKKI.DLL JKHHI.DLL IIFDBYA.DLL EFCCY.DLL FCCBYAB.DLL AWTUTQO.DLL VTUTTQN.DLL WVUVSRQ.DLL
TUVTSQQ.DLL AWTSSTU.DLL SSQQRPN.DLL QOMMKLM.DLL MLJHH.DLL IIIJI.DLL MLJIJJI.DLL DDAXX.DLL
DDCDE.DLL QOMMKKJ.DLL GEBAA.DLL IIFEF.DLL RQRSSQP.DLL LJJIGDC.DLL HGGFDBX.DLL BYXYW.DLL
JKKLLMK.DLL OPNLMNN.DLL GEBAYVU.DLL BYXWWUU.DLL URQQN.DLL LJJGDDA.DLL XXYXXUU.DLL
EFEDE.DLL CBXWX.DLL KHFFDAW.DLL NNNLJKI.DLL XXYWXXU.DLL DDCDDEC.DLL QOMJJJK.DLL AWTSSTQ.DLL
NNNKLIF.DLL URQQP.DLL NNNNLMM.DLL QOMKK.DLL IIFDAAB.DLL FCCDA.DLL GEBAWTS.DLL SSTUV.DLL
SSQNK.DLL MLLIG.DLL DDCYVTR.DLL XXYAYAY.DLL QOMMK.DLL OPPNM.DLL YAYVTUS.DLL LJJHHHI.DLL
LJJIFEF.DLL XXWUV.DLL SSTUU.DLL TUVWW.DLL PMKLL.DLL FCCAWWU.DLL QOMMMJI.DLL NNNNNOP.DLL
VTSRO.DLL AWTRRQQ.DLL SSQOL.DLL CBAAB.DLL CBXXW.DLL SSQOM.DLL URSST.DLL FCCCYAB.DLL
XXYYABA.DLL BYXXUUR.DLL KHFFDCC.DLL MLJHG.DLL HGDBB.DLL OPNKJ.DLL HGGFC.DLL JKKHG.DLL
VTUVTRR.DLL JKKIF.DLL NNNMKKI.DLL KHFFG.DLL LJHGE.DLL DDAWT.DLL SSQRQOO.DLL HGGEC.DLL
EFEEE.DLL QOMNO.DLL WVUSR.DLL OPNMK.DLL TUVWT.DLL XXYVVTR.DLL GEBCBCA.DLL VTTUUT.DLL
SSQROM.DLL BYXXVTQ.DLL MLJGHHI.DLL PMNKKJH.DLL SSTSR.DLL SSTRR.DLL PMNLJKH.DLL PMNNNLK.DLL
CBXYAXV.DLL XXYVW.DLL EFEBX.DLL MLJKLKL.DLL CBXUS.DLL DDAAY.DLL LJHHH.DLL DDAAB.DLL
OPPPN.DLL SSQRPPN.DLL XXYYVTQ.DLL WVUROOM.DLL XXYYX.DLL WVUVWUT.DLL PMNKHHG.DLL
EFCCYWU.DLL URQNOOP.DLL CBXUSPO.DLL IIIHI.DLL JKKHGGE.DLL IIFECYA.DLL FCCAXYY.DLL
KHFEF.DLL AWTSPML.DLL RQRPPNO.DLL XXYYAWX.DLL NNNLIHF.DLL RQRRPOO.DLL EFCCB.DLL
CBXXYYX.DLL DDCCYYA.DLL HGDCB.DLL QOMJKLL.DLL MLJGDDE.DLL KHFGEBC.DLL PMNMKJI.DLL
TUVVT.DLL QOMMKIG.DLL URQPPQQ.DLL HTHEYRVU.DLL GMHZYYUB.DLL XEPHLMKM.DLL SSQRPML.DLL
SSQROLI.DLL CBXYVWX.DLL SSQQRPQ.DLL JKKKKLK.DLL PMNLLLK.DLL DDCAB.DLL GEBAWTT.DLL
QOMMJGF.DLL URQNLJI.DLL NNNLMNO.DLL YAYWXYV.DLL BYXXV.DLL AWTQQOO.DLL XXYAWUS.DLL
PMNMLKI.DLL HGGDCBX.DLL URQNKHF.DLL VTUSSPM.DLL MLJKLJK.DLL DDCYXXV.DLL SSQPPQN.DLL
NNNKLLK.DLL YABCB.DLL EFEFF.DLL TUVVSRS.DLL HGGHHHG.DLL AWTRQ.DLL JKHEF.DLL QOMLM.DLL
VTURQON.DLL OPPPP.DLL TUVSSPP.DLL QXORUWKH.DLL EMKKTPBO.DLL WKPRFNHO.DLL DIDKUYDY.DLL
YAYVVVV.DLL DDCCCAW.DLL OPNOO.DLL PMNKJKH.DLL UITDNTWP.DLL JEJXMOWN.DLL FCCBYVW.DLL
QQTIFUQX.DLL JKKLIIG.DLL FCCBCYW.DLL WVUSP.DLL URQQR.DLL JAQWATLN.DLL OPECMMFL.DLL
FEREICGH.DLL MUKARVLD.DLL GEBAW.DLL AWTQQPQ.DLL AWTTTUT.DLL KHFGECA.DLL

Page Created: December 26, 2007

Page Updated: January 15, 2008

Thanks to Michelle Smith for correcting my bad grammar and
punctuation errors. LOL