Adware.VirtuMonde

Updated: June 15, 2006 10:39:00 AM

Type: Adware

Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000

SUMMARY

Behavior

Adware.VirtuMonde is an adware program that downloads and displays popup advertisements.

Protection

Initial Rapid Release version December 10, 2003
Latest Rapid Release version November 9, 2009 revision 052
Initial Daily Certified version December 10, 2003 revision 007
Latest Daily Certified version November 9, 2009 revision 039
Initial Weekly Certified release date December 10, 2003

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

TECHNICAL DETAILS

Adware.VirtuMonde is an adware program that downloads and displays popup advertisements.

When the program runs, it adds one of the following registry entries so that the adware runs whenever Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"WindowsUpd" = "[ADWARE FILENAME]"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"SysUpd" = "[ADWARE FILENAME]"

The program creates one of the following registry subkeys to store the configuration information:
HKEY_CURRENT_USER\Software\Microsoft\WindowsUpd
HKEY_CURRENT_USER\Software\Microsoft\SysUpd

The program also creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}
scan
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEpl.IEpl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEpl.IEPl.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tdev
HKEY_USERS\S-1-5-21-1887652994-1477516851-2064603551-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}
HKEY_LOCAL_MACHINE\SOFTWARE\TargetSoft
HKEY_CLASSES_ROOT\CLSID\{FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67}
HKEY_CLASSES_ROOT\DosSpecFolder.DosSpecFolder
HKEY_CLASSES_ROOT\DosSpecFolder.DosSpecFolder.1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67}

The program also creates the following files:
%System%\cidrules.dll
%System%\wincore.dll
%System%\winhost32.exe
%System%\winupd.dll
%UserProfile%\Local Settings\Temp\cidrules.dll
%UserProfile%\Local Settings\Temp\wincore.dll

The program periodically makes an HTTP connection to virtumonde.com, on port 80 or 8081, to download commands and popup advertisements.