Re: Virtumonde, Registry Keys, User Accounts, Microsoft

From: "Scott" <scott@xxxxxxxxxxxx>

Hi Scott:

Replies are inline...

| Can you identify the originator of Virtumonde by the registry keys it
| leaves?


No. They may only identify they are realted to the malware itself/


| Would a user account prevent Virtumonde from installing? Would I get a
| notice that administrator priviliges are needed?


Not if the site that hosts the installer uses exploit code that causes a buffer overflow
condition and a resultant elevation of privileges.


| Does Virtumonde use the Visual Basic language of Office, or something else?


I haven't heard of it using VB.


| Will Microsoft's Malicious Software Removal Tool completely scan my system
| independent of whether it's run from an admin or user account?


Yes.


| Can I confidently assume my XP Home desktop system is clean since Ad Aware
| has not found anything and the August Malicious Software Removal Tool ran
| once?


No. There is no 100% assurance. Ad-aware isn't 100% on all variants. You would have to
also scan with other utilities such a the MalwareBytes Anti-Malware to increase your
chaces but you won't reach 100% if it is a new and unknown variant.


| I have a notebook that connects to the desktop through a router. Can this
| malware spread to my notebook through the router? I exchange files using the
| Shared Documents folder.

No. It is NOT a virus and does not self replicate. The vundo form and the Virtumond
adware assistance to get installed such as Social Engineering and vulnerability
exploitation.

| Details.

| On Aug 5, Ad Aware found a file "yacscom.dll" it declared to be Virtumonde.

|
| Yahoo Anti Spy found four registry keys it called hijackers.

| One is ISTbar from a company called Internet Search Technologies:

| HKLM\software\microsoft\windows\currentversion\internet
settings\zonemap\domains\contentmatch.net

| Three were from Mirar. They had the exact
| form above but with different
| domain names at the end: mirarseach.com, netnucleus.com,
| getmirar.com

| If I investigate these domains, will I get infected?


Possibly !




--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


.

Relevant Pages

  • Re: Virtumonde, Registry Keys, User Accounts, Microsoft
    ... They may only identify they are realted to the malware itself/ ... | Would a user account prevent Virtumonde from installing? ... | Yahoo Anti Spy found four registry keys it called hijackers. ...
    (microsoft.public.security.virus)
  • Virtumonde, Registry Keys, User Accounts, Microsoft
    ... Would a user account prevent Virtumonde from installing? ... I exchange files using the ... Yahoo Anti Spy found four registry keys it called hijackers. ...
    (microsoft.public.security.virus)
  • XP: Registry Keys, Malware
    ... What role do registry keys play in malware? ... does there need to be a malware program on my computer? ... I run Ad-Aware 2008 Free every week and on Aug 5 if found Virtumonde. ... Before removing it, I tested AVG-Free, Spybot, and Yahoo Anti Spy and they ...
    (microsoft.public.windowsxp.general)
  • Re: VirtuMonde
    ... > The day of installing these shortly afterwards ran Norton CleanSweep (Fast ... > Following morning, scanned with PestPatrol. ... > No other VirtuMonde indications were found.. ... > firewalls consist of a router and a dedicated PC as NAT firewall in series. ...
    (microsoft.public.security.virus)
  • Re: VirtuMonde
    ... > The day of installing these shortly afterwards ran Norton CleanSweep (Fast ... > Following morning, scanned with PestPatrol. ... > No other VirtuMonde indications were found.. ... > firewalls consist of a router and a dedicated PC as NAT firewall in series. ...
    (microsoft.public.security)