Trojan.Vundo

Discussion in 'PC Help Desk' started by gcoats3, May 19, 2007.

  1. gcoats3

    gcoats3 Well-Known Member

    Yesterday my computer was hit with the Trojan Horse Vundo. One pop-up after another. Slowed my computer operation speed to a crawl. I have Norton Anti-Virus. I was unable to remove Vundo. Symantec took control of my computer from a remote location and removed Vundo. It took the technician about 3 1/2 hours to remove. My questions is:
    - How do you prevent Trojan Horses from downloading to your computer?
     
  2. ddrdan

    ddrdan Well-Known Member

    Trojans are not unattended downloads and they don't replicate. You have to load them yourself. This one usually gives you a popup with internet explorer as the header with "Begal Virus" in the context for you to download a fix for it. The other methods for getting trojans are manually executing unknown programs, email, Internet Relay Chat (IRC), peer-to-peer networks, etc. You had to initiate this to get it.
     
  3. ServerSnapper

    ServerSnapper Well-Known Member

    Discovered: April 27, 2005
    Updated: February 13, 2007 12:38:03 PM
    Type: Trojan Horse
    Infection Length: 520,212 bytes
    Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


    Removal using the Removal Tool
    Symantec Security Response has developed a removal tool to clean the infections of Trojan.Vundo.B. This is the preferred method in most cases.

    Manual Removal
    The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

    Disable System Restore (Windows Me/XP).
    Update the virus definitions.
    Run a full system scan and delete all the files detected as Trojan.Vundo.B.
    Delete any values added to the registry.

    For specific details on each of these steps, read the following instructions.

    1. To disable System Restore (Windows Me/XP)
    If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

    Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

    Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

    For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
    How to disable or enable Windows Me System Restore
    How to turn off or turn on Windows XP System Restore

    Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, reenable System Restore by following the instructions in the aforementioned documents.

    For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article: Antivirus Tools Cannot Clean Infected Files in the _Restore Folder (Article ID: Q263455).

    2. To update the virus definitions
    Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
    Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the document: Virus Definitions (LiveUpdate).
    Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted daily. You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the document: Virus Definitions (Intelligent Updater).

    The latest Intelligent Updater virus definitions can be obtained here: Intelligent Updater virus definitions. For detailed instructions read the document: How to update virus definition files using the Intelligent Updater.


    3. To scan for and delete the infected files
    Start your Symantec antivirus program and make sure that it is configured to scan all the files.
    For Norton AntiVirus consumer products: Read the document: How to configure Norton AntiVirus to scan all files.
    For Symantec AntiVirus Enterprise products: Read the document: How to verify that a Symantec Corporate antivirus product is set to scan all files.
    Run a full system scan.
    If any files are detected as infected with Trojan.Vundo.B, click Delete.

    Note: If your Symantec antivirus product reports that it cannot delete an infected file, Windows may be using the file. To fix this, run the scan in Safe mode. For instructions, read the document: How to start the computer in Safe Mode. Once you have restarted in Safe mode, run the scan again.

    After the files are deleted, restart the computer in Normal mode and proceed with section 4.

    Warning messages may be displayed when the computer is restarted, as the threat has not been fully removed at this point. Please ignore these messages and just click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following:

    Title: [File path]
    Message body: Windows cannot find [file name]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.


    4. To delete the value from the registry
    Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.

    Click Start > Run.
    Type regedit
    Click OK.


    Navigate to and delete the following subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\[Trojan file name] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}


    Exit the Registry Editor.
     
  4. ServerSnapper

    ServerSnapper Well-Known Member

    What is a virus?
    A computer virus is a small program written to alter the way a computer operates, without the permission or knowledge of the user. A virus must meet two criteria:


    It must execute itself. It often places its own code in the path of execution of another program.
    It must replicate itself. For example, it may replace other executable files with a copy of the virus infected file. Viruses can infect desktop computers and network servers alike.
    Some viruses are programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk. Others are not designed to do any damage, but simply to replicate themselves and make their presence known by presenting text, video, and audio messages. Even these benign viruses can create problems for the computer user. They typically take up computer memory used by legitimate programs. As a result, they often cause erratic behavior and can result in system crashes. In addition, many viruses are bug-ridden, and these bugs may lead to system crashes and data loss.

    Five recognized types of viruses

    File infector viruses File infector viruses infect program files. These viruses normally infect executable code, such as .com and .exe files. The can infect other files when an infected program is run from floppy, hard drive, or from the network. Many of these viruses are memory resident. After memory becomes infected, any noninfected executable that runs becomes infected. Examples of known file infector viruses include Jerusalem and Cascade.
    Boot sector viruses Boot sector viruses infect the system area of a disk; that is, the boot record on floppy disks and hard disks. All floppy disks and hard disks (including disks containing only data) contain a small program in the boot record that is run when the computer starts up. Boot sector viruses attach themselves to this part of the disk and activate when the user attempts to start up from the infected disk. These viruses are always memory resident in nature. Most were written for DOS, but, all PCs, regardless of the operating system, are potential targets of this type of virus. All that is required to become infected is to attempt to start up your computer with an infected floppy disk Thereafter, while the virus remains in memory, all floppy disks that are not write protected will become infected when the floppy disk is accessed. Examples of boot sector viruses are Form, Disk Killer, Michelangelo, and Stoned.
    Master boot record viruses Master boot record viruses are memory-resident viruses that infect disks in the same manner as boot sector viruses. The difference between these two virus types is where the viral code is located. Master boot record infectors normally save a legitimate copy of the master boot record in an different location. Windows NT computers that become infected by either boot sector viruses or master boot sector viruses will not boot. This is due to the difference in how the operating system accesses its boot information, as compared to Windows 98/Me. If your Windows NT systems is formatted with FAT partitions you can usually remove the virus by booting to DOS and using antivirus software. If the boot partition is NTFS, the system must be recovered by using the three Windows NT Setup disks. Examples of master boot record infectors are NYB, AntiExe, and Unashamed.
    Multipartite viruses Multipartite (also known as polypartite) viruses infect both boot records and program files. These are particularly difficult to repair. If the boot area is cleaned, but the files are not, the boot area will be reinfected. The same holds true for cleaning infected files. If the virus is not removed from the boot area, any files that you have cleaned will be reinfected. Examples of multipartite viruses include One_Half, Emperor, Anthrax and Tequilla.
    Macro viruses These types of viruses infect data files. They are the most common and have cost corporations the most money and time trying to repair. With the advent of Visual Basic in Microsoft's Office 97, a macro virus can be written that not only infects data files, but also can infect other files as well. Macro viruses infect Microsoft Office Word, Excel, PowerPoint and Access files. Newer strains are now turning up in other programs as well. All of these viruses use another program's internal programming language, which was created to allow users to automate certain tasks within that program. Because of the ease with which these viruses can be created, there are now thousands of them in circulation. Examples of macro viruses include W97M.Melissa, WM.NiceDay and W97M.Groov.


    What is a Trojan horse?
    Trojan horses are impostors—files that claim to be something desirable but, in fact, are malicious. A very important distinction between Trojan horse programs and true viruses is that they do not replicate themselves. Trojan horses contain malicious code that when triggered cause loss, or even theft, of data. For a Trojan horse to spread, you must invite these programs onto your computers; for example, by opening an email attachment or downloading and running a file from the Internet. Trojan.Vundo is a Trojan horse.


    What is a worm?
    Worms are programs that replicate themselves from system to system without the use of a host file. This is in contrast to viruses, which requires the spreading of an infected host file. Although worms generally exist inside of other files, often Word or Excel documents, there is a difference between how worms and viruses use the host file. Usually the worm will release a document that already has the "worm" macro inside the document. The entire document will travel from computer to computer, so the entire document should be considered the worm W32.Mydoom.AX@mm is an example of a worm


    What is a virus hoax?
    Virus hoaxes are messages, almost always sent by email, that amount to little more than chain letters. Following are some of the common phrases that are used in these hoaxes:

    If you receive an email titled [email virus hoax name here], do not open it!
    Delete it immediately!
    It contains the [hoax name] virus.
    It will delete everything on your hard drive and [extreme and improbable danger specified here].
    This virus was announced today by [reputable organization name here].
    Forward this warning to everyone you know!
    Most virus hoax warnings do not deviate far from this pattern. If you are unsure if a virus warning is legitimate or a hoax, additional information is available at the Symantec Security Response online database.


    What is not a virus?
    Because of the publicity that viruses have received, it is easy to blame any computer problem on a virus. The following are not likely to be caused by a virus or other malicious code:

    Hardware problems No viruses can physically damage computer hardware, such as chips, boards, and monitors.
    The computer beeps at startup with no screen display This is usually caused by a hardware problem during the boot process. Consult your computer documentation for the meaning of the beep codes.
    The computer does not register 640 KB of conventional memory This can be a sign of a virus, but it is not conclusive. Some hardware drivers such as those for the monitor or SCSI card can use some of this memory. Consult with your computer manufacturer or hardware vendor to determine if this is the case.
    You have two antivirus programs installed and one of them reports a virus This might be a virus, but it can also be caused by one antivirus program detect the other program's signatures in memory. For additional information, see Should you run more than one antivirus program at the same time?
    Microsoft Word warns you that a document contains a macro This does not mean that the macro is a virus.
    You cannot open a particular document This is not necessarily an indication of a virus. Try opening another document or a backup of the document in question. If other documents open correctly, the document may be damaged.
    The label on a hard drive has changed Every disk is allowed to have a label. You can assign a label to a disk by using the DOS Label command of from within Windows.
    When you run ScanDisk, Norton AntiVirus Auto-Protect reports virus-like activity For instructions on what to do, read Alert: "Virus Like Activity detected. The application . . . is attempting to write to the file . . . What would you like to do?



    Additional information
    For the most up-to-date information on viruses, go to the Symantec Security Response online database.

    To submit a file or disk that you suspect is infected with a virus, please read one of the following documents:

    Submitting a file to Symantec Security Response over the Internet or on a floppy disk
    Submitting a file to Symantec Security Response using Scan and Deliver


    What is safe computing?
    With all the hype, it is easy to believe that viruses lurk in every file, every email, every Web site. However, a few basic precautions can minimize your risk of infection. Practice safe computing and encourage everyone you know to do so as well.

    General precautions

    Do not leave a floppy disk in the floppy disk drive when you shut down or restart the computer.
    Write-protect your floppy disks after you have finished writing to them.
    Be suspicious of email attachments from unknown sources.
    Verify that attachments have been sent by the author of the email. Newer viruses can send email messages that appear to be from people you know.
    Do not set your email program to "auto-run" attachments.
    Obtain all Microsoft security updates.
    Back up your data frequently. Keep the write-protected media in a safe place—preferably in a different location than your computer.
    Specific to Norton AntiVirus

    Make sure that you have the most recent virus definitions. We recommend that you run LiveUpdate at least once per week. Symantec Security Response updates virus definitions in response to new virus threats. For additional information, please see How to Run LiveUpdate.
    Make sure that you have set Norton AntiVirus to scan floppy disks on access and at shutdown. Please see your User's Guide for information on how to do this in your version of Norton AntiVirus.
    Always keep Norton AntiVirus Auto-Protect running. Symantec Security Response now strongly recommends that you have Norton AntiVirus set to scan all files, not just program files.
    Scan all new software before you install it. Because boot sector viruses spread by floppy disks and bootable CDs, every floppy disk and CD should be scanned for viruses. Shrink-wrapped software, demo disks from suppliers, and trial software are not exempt from this rule. Viruses have been found even on retail software.
    Scan all media that someone else has given you.
    Use caution when opening email attachments. Email attachments are a major source of virus infections. Microsoft Office attachments for Word, Excel, and Access can be infected by Macro viruses. Other attachments can contain file infector viruses. Norton AntiVirus Auto-Protect will scan these attachments for viruses as you open or detach them. We recommend that you enable email scanning, which will scan email attachments before the email message is sent to your email program.
     
  5. kookookacho

    kookookacho Well-Known Member

    Goat, Do you use buffaloe.com?
     
  6. ServerSnapper

    ServerSnapper Well-Known Member

    Don't ever click on a pop up. Sometimes they have hidden scripts running that will send your personal data then plant a trojan to start spamming the crap out of you.
     
    Last edited: May 22, 2007
  7. gcoats3

    gcoats3 Well-Known Member

    Never been to that site (buffaloe.com) to my knowledge. What is the site about?
    Thanks for all the information from everyone. I have no idea where I picked up the Trojan.Vundo. I am very careful about downloading files. In fact I do not download files sent to me by e-mail. I do access web sites.
     

Share This Page