The Ugly Return of Virtumonde - The spyware that just keeps coming back
Sometime in the last two weeks or a month, a new variant of Virtumonde (Virtumondo, Vundo, WinFixer) has surfaced that presents some major removal challenges. I'm seeing it most often in conjunction with several other bits of malware (typically Smitfraud, one or more downloaders, keystroke loggers,etc), but I want to talk about Virtumonde first.
First off, the processes for it run in both normal and safe mode. It also detects when HijackThis is run. The detection is done by recognizing the name of the file when it is executed, so renaming hijackthis.exe to hjt.exe, randomname.exe, or whatever, effectively prevents this stealthing strategy from working.
In other words, if you scan an infected system with HijackThis, you end up with a result that shows some evidence of infection, but most of the processes related to the malware won't appear. Renaming HijackThis and running it generates a very different scan result. Your can read more at Major Geeks and Spybot's malware removal forums, plus other sites.
Virtumonde also interferes with some other malware removal tools as well. If you run Smitrem to clear out a Smitfraud infection, Virtumonde will cause the getSTS.exe module of Smitrem to crash. getSTS is the component that is supposed to retrieve a list of all entries in the Shared Task Scheduler. The rest of the tool appears to execute correctly, but fails to remove Smitfraud infections that have inserted themselves into the Shared Task Scheduler.
SmitfraudFix doesn't fare much better. You don't get an error, but the segment of the program log that enumerates programs in Shared Task Scheduler is blank. So, once again, Smitfraud variants that use the Shared Task Scheduler to either reinstall themselves from compressed files, run installation programs to reload themselves, etc. won't be fixed. ComboFix is effected much the same, but since it is somewhat less specialized, it seems to have a higher success rate than Smitrem and SmitfraudFix.
Manual removal can work, but you must have a scan generated by the renamed hijackthis.exe to succeed. Otherwise booting to the Recovery Console and attempting to delete the suspicious files from the hijackthis.exe scan will mostly result in "file not found" errors, and leave behind critical files (since they weren't reported by hijackthis.exe) so the system remains infected. Similarly, if you try to use Kilbox, Unlocker, or HijackThis's "Delete on Reboot" tool, you will find that the utilities don't function.
Killbox, etc. will only be useful if you have a scan from a renamed executable file of HijackThis. Even knowing the full list of files you want to kill requires trial and error. Killbox will only remove infected files if you first kill the process that prevents Killbox from running. Otherwise, Killbox just says that the file(s) you want to kill can't be removed. If you try to delete these files on reboot, Killbox will fail with a message that an external process interrupted the deletion.
Earlier, I said that these infections seem to be part of a package. What appears to be happening more and more is that customers are downloading some utility, screensaver, etc. and the installation infects their machine with many different bits of malware simultaneously. So, downloading that screensaver may hit you with Smitfraud, Virtumonde, AbsoluteKeyLogger, W32.Small.DDX downloader, Accoona, Aconti, and the like all at once. To the tune of 20 or 30 different nasties.
What I want to emphasize is that many of these programs are legitimate, but have been downloaded (along with their "bonus features") from malicious sites, or they are in fact malware listed as "safe" by ostensibly reputable sites.
Let's use Weather Studio as an example. This is yet another one of those ubiquitous tools that provides quick access to weather information and emergency alerts. Spybot 1.5 deletes it, as does A-Squared. In fact, A-Squared's database reports it as major threat. You can download it from many web sites.
But, if you go to CNet's download.com site and search for it, there isn't a listing. However, you see this.
Lookie here, we get sponsored links to two pieces of known spyware! Two links to weather studio, and one to starware; all of whose products are spyware, and are identified and deleted by Ad Aware, Spybot, NOD32, NAV 2007, etc. And from a "trusted" site.
But, it gets even better. Let's say you want a nice screen saver for free. You know that starware, etc. are infected with spyware, so you go to a source your trust: download.com. Forget the ads. CNet would only post content for direct download that is either spyware free or clearly marked as ad-supported, right? maybe.
Check out the Dolphins and Whales reviews. One claims that the screen saver contains spyware, and so does one of my customers.
So, I'm seeing many computers infected with what would seem to be a package of several unusually tenacious pieces of malware that were all installed simultaneously, and, even though Smitfraud is a common infection, Zlob is conspicuous by its absence. The infections don't seem to have occurred from downloading porno video codecs, responding to phishing emails, or any of the expected channels. They came from legitimate programs downloaded from questionable sources, or programs and/or links from sources that are normally considered trustworthy.
So, how do you kill them? First of all, you can eliminate many of the secondary infections by running standard tools, but unless you kill Virtumonde, the system won't be free of infection, and is likely to download new pests. What has worked for me is to disable or uninstall any AV software running on the infected computer and install a trial version of NOD32. The infection will generally prevent it from updating correctly, but you can fix that in a bit.
Don't run a scan yet. Install and update Spybot S&D 1.5 and run it. You may have to install the program and the update from a pendrive or CD. Fix whatever it detects. Then run an online scan from Eset. After it has cleaned or removed any detected infections, update and run NOD32 with an in-depth scan.
At this point you should run a scan with your re-named Hijackthis and remove any suspect entries. Restart the computer, re-scan and the system should be clean. If you want to use a for-pay tool instead of the manual removal and scans with freeware, SpySweeper 5.5 works very well, too.
Of course, in many cases, it may be quicker and easier to restore a back up, but that's a call for the individual tech.
Links to the programs mentioned above
HiJackThis.exe Sometimes you can't get to places like Trend Micro, so try this one instead
A-Squared Free Version
NOD32 Trial download
Eset Online Scan
Spybot Search and Destroy This is the download page, you can choose your language on the right. Click the box icon on the right of "Spybot - Search & Destroy 1.5.1 - product description" to download Spybot - Search & Destroy 1.5.1 - product description. Immediately below that are the updates that you can get separately to update Spybot without going online.
Once Spybot is installed, but is not running, double click the update file. If the space for where to install the updates is blank, browse to the Spybot installation directory (usually c:\program files\Spybot - Search & Destroy). Click next and follow the wizard. Spybot should detect the new updates and not ask to go online.
Spyware Sweeper