1. /
  2. Security Response/
  3. Adware.VirtuMonde

Adware.VirtuMonde

Updated:
June 15, 2006 10:39:00 AM
Type:
Adware
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Adware.VirtuMonde is an adware program that downloads and displays popup advertisements.

When the program runs, it adds one of the following registry entries so that the adware runs whenever Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"WindowsUpd" = "[ADWARE FILENAME]"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"SysUpd" = "[ADWARE FILENAME]"

The program creates one of the following registry subkeys to store the configuration information:
HKEY_CURRENT_USER\Software\Microsoft\WindowsUpd
HKEY_CURRENT_USER\Software\Microsoft\SysUpd

The program also creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}
scan
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEpl.IEpl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEpl.IEPl.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tdev
HKEY_USERS\S-1-5-21-1887652994-1477516851-2064603551-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}
HKEY_LOCAL_MACHINE\SOFTWARE\TargetSoft
HKEY_CLASSES_ROOT\CLSID\{FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67}
HKEY_CLASSES_ROOT\DosSpecFolder.DosSpecFolder
HKEY_CLASSES_ROOT\DosSpecFolder.DosSpecFolder.1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67}

The program also creates the following files:
%System%\cidrules.dll
%System%\wincore.dll
%System%\winhost32.exe
%System%\winupd.dll
%UserProfile%\Local Settings\Temp\cidrules.dll
%UserProfile%\Local Settings\Temp\wincore.dll

The program periodically makes an HTTP connection to virtumonde.com, on port 80 or 8081, to download commands and popup advertisements.
Summary| Technical Details

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver