Virtumonde, Registry Keys, User Accounts, Microsoft

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

Scott - 26 Aug 2008 00:51 GMT

Can you identify the originator of Virtumonde by the registry keys it
leaves?

Would a user account prevent Virtumonde from installing? Would I get a
notice that administrator priviliges are needed?

Does Virtumonde use the Visual Basic language of Office, or something else?

Will Microsoft's Malicious Software Removal Tool completely scan my system
independent of whether it's run from an admin or user account?

Can I confidently assume my XP Home desktop system is clean since Ad Aware
has not found anything and the August Malicious Software Removal Tool ran
once?

I have a notebook that connects to the desktop through a router. Can this
malware spread to my notebook through the router? I exchange files using the
Shared Documents folder.

Details.

On Aug 5, Ad Aware found a file "yacscom.dll" it declared to be Virtumonde.

Yahoo Anti Spy found four registry keys it called hijackers.

One is ISTbar from a company called Internet Search Technologies:

hkey_local_machine \software\microsoft\windows\currentversion\internet
settings\zonemap\domains\contentmatch.net

Three were from Mirar. They had the exact form above but with different
domain names at the end: mirarseach.com, netnucleus.com, getmirar.com

If I investigate these domains, will I get infected?

Reply to this Message

David H. Lipman - 26 Aug 2008 01:42 GMT

From: "Scott" <scott@adelphia.net>

Hi Scott:

Replies are inline...

| Can you identify the originator of Virtumonde by the registry keys it
| leaves?

No. They may only identify they are realted to the malware itself/

| Would a user account prevent Virtumonde from installing? Would I get a
| notice that administrator priviliges are needed?

Not if the site that hosts the installer uses exploit code that causes a buffer overflow
condition and a resultant elevation of privileges.

| Does Virtumonde use the Visual Basic language of Office, or something else?

I haven't heard of it using VB.

| Will Microsoft's Malicious Software Removal Tool completely scan my system
| independent of whether it's run from an admin or user account?

Yes.

| Can I confidently assume my XP Home desktop system is clean since Ad Aware
| has not found anything and the August Malicious Software Removal Tool ran
| once?

No. There is no 100% assurance. Ad-aware isn't 100% on all variants. You would have to
also scan with other utilities such a the MalwareBytes Anti-Malware to increase your
chaces but you won't reach 100% if it is a new and unknown variant.

| I have a notebook that connects to the desktop through a router. Can this
| malware spread to my notebook through the router? I exchange files using the
| Shared Documents folder.

No. It is NOT a virus and does not self replicate. The vundo form and the Virtumond
adware assistance to get installed such as Social Engineering and vulnerability
exploitation.

| Details.

| On Aug 5, Ad Aware found a file "yacscom.dll" it declared to be Virtumonde.

| Yahoo Anti Spy found four registry keys it called hijackers.

| One is ISTbar from a company called Internet Search Technologies:

| HKLM\software\microsoft\windows\currentversion\internet

settings\zonemap\domains\contentmatch.net

| Three were from Mirar. They had the exact
| form above but with different
| domain names at the end: mirarseach.com, netnucleus.com,
| getmirar.com

| If I investigate these domains, will I get infected?

Possibly !