1. /
  2. Security Response/
  3. Trojan.Vundo

Trojan.Vundo

Risk Level 2: Low

Discovered:
November 20, 2004
Updated:
August 9, 2012 2:30:01 PM
Type:
Trojan
Infection Length:
Varies
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Vista, Windows XP
Trojan.Vundo is a Trojan horse that downloads files and displays pop-up advertisements. It is known to be distributed through spam email, peer-to-peer file sharing, drive-by downloads, and by other malware.

Infection
Trojan.Vundo, also known as VirtuMonde, VirtuMundo, and MS Juan, typically arrives by way of spam email or is hoisted onto the user’s computer by a drive-by download that exploits a browser vulnerability. The Trojan may also be downloaded via file-sharing networks, with the malicious executables having been given innocuous names to trick users into running them.

Trojan.Vundo may also be downloaded by other malware. The mass-mailing worms W32.Ackantta.B@mm and W32.Ackantta.C@mm are known to download variants of this threat family on to compromised computers. Increased levels of infection of these worms has been seen to result in an increase in the number of Trojan.Vundo infections.

Functionality
Trojan.Vundo was designed as a means for displaying advertisements on the compromised computer. The Trojan includes functionality to display pop-ups and is additionally capable of injecting advertisements into search results.

The advertisements and pop-ups that are displayed include those for fraudulent or misleading applications; intrusive pop-ups, fake scan results, and so-called alerts that masquerade as being from legitimate security software appear on the desktops of compromised computers in an attempt to frighten users into clicking buttons for 'further information'. The advertisements generally link to sites offering non-functional (or occasionally outright harmful) programs that purport to be capable of ridding the computer of non-existent malware in return for a fee payable by credit card.

Advertisements for adult Web sites and services may also be displayed by the threat.

In order to make it more difficult to remove, Trojan.Vundo also lowers security settings, prevents access to certain Web sites, and disables certain system software. Some variants attempt to disable antivirus programs.

Recent Trojan.Vundo variants have more sophisticated features and payloads, including rootkit functionality, the capability to download misleading applications by exploiting local vulnerabilities, and extensions that encrypt files in order to extort money from the user.

GEOGRAPHICAL DISTRIBUTION
Symantec has observed the following geographic distribution of this threat.



PREVALANCE
Symantec has observed the following following infection levels of this threat worldwide.



SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.

Antivirus signatures

Antivirus (heuristic/generic)

    Browser protection

    Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.

    Intrusion Prevention System

    Antivirus Protection Dates

    • Initial Rapid Release version May 9, 2006
    • Latest Rapid Release version June 24, 2014 revision 006
    • Initial Daily Certified version May 9, 2006
    • Latest Daily Certified version January 28, 2014 revision 002
    • Initial Weekly Certified release date May 10, 2006
    Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

    Threat Assessment

    Wild

    • Wild Level: Medium
    • Number of Infections: 1000+
    • Number of Sites: 10+
    • Geographical Distribution: Medium
    • Threat Containment: Moderate
    • Removal: Moderate

    Damage

    • Damage Level: Medium
    • Payload: Downloads files and displays advertisements
    • Releases Confidential Info: Sends URLs visited to a remote location
    • Compromises Security Settings: Modifies firewall and antivirus settings

    Distribution

    • Distribution Level: Low
    Writeup By: Henry Bell and Eric Chien

    Search Threats

    Search by name
    Example: W32.Beagle.AG@mm
    STAR Antimalware Protection Technologies
    Internet Security Threat Report, Volume 17
    Symantec DeepSight Screensaver