1. Symantec/
  2. Security Response/
  3. Trojan.Vundo


Risk Level 2: Low

November 20, 2004
August 9, 2012 2:30:01 PM
Infection Length:
Systems Affected:
Trojan.Vundo is a Trojan horse that downloads files and displays pop-up advertisements. It is known to be distributed through spam email, peer-to-peer file sharing, drive-by downloads, and by other malware.

Trojan.Vundo, also known as VirtuMonde, VirtuMundo, and MS Juan, typically arrives by way of spam email or is hoisted onto the user’s computer by a drive-by download that exploits a browser vulnerability. The Trojan may also be downloaded via file-sharing networks, with the malicious executables having been given innocuous names to trick users into running them.

Trojan.Vundo may also be downloaded by other malware. The mass-mailing worms W32.Ackantta.B@mm and W32.Ackantta.C@mm are known to download variants of this threat family on to compromised computers. Increased levels of infection of these worms has been seen to result in an increase in the number of Trojan.Vundo infections.

Trojan.Vundo was designed as a means for displaying advertisements on the compromised computer. The Trojan includes functionality to display pop-ups and is additionally capable of injecting advertisements into search results.

The advertisements and pop-ups that are displayed include those for fraudulent or misleading applications; intrusive pop-ups, fake scan results, and so-called alerts that masquerade as being from legitimate security software appear on the desktops of compromised computers in an attempt to frighten users into clicking buttons for 'further information'. The advertisements generally link to sites offering non-functional (or occasionally outright harmful) programs that purport to be capable of ridding the computer of non-existent malware in return for a fee payable by credit card.

Advertisements for adult Web sites and services may also be displayed by the threat.

In order to make it more difficult to remove, Trojan.Vundo also lowers security settings, prevents access to certain Web sites, and disables certain system software. Some variants attempt to disable antivirus programs.

Recent Trojan.Vundo variants have more sophisticated features and payloads, including rootkit functionality, the capability to download misleading applications by exploiting local vulnerabilities, and extensions that encrypt files in order to extort money from the user.

Symantec has observed the following geographic distribution of this threat.

Symantec has observed the following following infection levels of this threat worldwide.

The following content is provided by Symantec to protect against this threat family.

Antivirus signatures

Antivirus (heuristic/generic)

    Browser protection

    Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.

    Intrusion Prevention System

    Antivirus Protection Dates

    • Initial Rapid Release version May 9, 2006
    • Latest Rapid Release version March 21, 2018 revision 020
    • Initial Daily Certified version May 9, 2006
    • Latest Daily Certified version March 21, 2018 revision 036
    • Initial Weekly Certified release date May 10, 2006
    Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
    Writeup By: Henry Bell and Eric Chien

    Search Threats

    Search by name
    Example: W32.Beagle.AG@mm
    STAR Antimalware Protection Technologies
    2016 Internet Security Threat Report, Volume 21
    • Twitter
    • Facebook
    • LinkedIn
    • Google+
    • YouTube