About The Vundo Trojan

Definition and Characteristics

• Vundo is the name given to a large family, or group, of Trojans for the Microsoft Windows NT family of operating systems, which includes Windows 2000 and later. It goes by a variety of alternate names, including Virtumonde and Agent. The Vundo Trojan is a dangerous one, sometimes rendering computers entirely unusable and requiring a complete reinstall of the operating system. Often, this means that all of the user's files are lost in the process, one reason why it is important to defend against this trojan and remove it as soon as possible when it does infect a computer.

Method of Infection

• As a Trojan, Vundo does not actively spread itself from users' computers. Infection typically takes place when a user visits a malicious website, most of which tell users that their computers are infected with spyware, then attempting to force the installation onto the user. The website may also exploit a security vulnerability in the Internet Explorer browser (which results in infection failing if the user is using a different browser) or, in some cases, by triggering a false alert on the screen stating that the user is at high risk for being infected with viruses or is already infected with a virus. Variants of Vundo that attempt to trick the user into installing "antivirus" software really install software that makes false detections. These false detections serve only as bait to encourage victims to pay for a license for the fake antivirus. In reality, the antivirus will not fix anything, license or no license.

Main Effects

• The Vundo family has a wide range of capabilities. Many variants block access to security websites like Kaspersky, McAfee, and Symantec in an effort to prevent the user from installing software that could remove the Trojan. These variants can sometimes disable security software that the user has installed, making removal difficult. The processes belonging to the disabled security programs are stopped, and files necessary for their operation may be deleted.

Removal and Associated Difficulties

• The Vundo family has other mechanisms that make it difficult to remove. It installs itself in numerous places, which prevents users from simply deleting the file to disinfect their computer. It also places itself in the list of programs which run automatically when the computer is started, ensuring that it is constantly running. Finally, it injects its code into several system processes-- this means that the Trojan's code is loaded into memory as part of essential system programs that are always running. By doing so, it ensures that it cannot be easily removed from memory without causing the computer to crash. Despite these difficulties, it is possible to remove the many variants of the Vundo trojan if they are detected before the infection has a chance to get particularly bad. One common method includes suspending execution of the system processes into which its code has been injected, then stopping the Trojan's own processes (if they exist), deleting its files, continuing the system processes and finally rebooting.

Other Effects

• Trojans in the Vundo family are also downloaders, which means that once installed on a user's computer, they can further ruin it by downloading more Trojans and adware (programs that annoy users by displaying advertisements frequently and obtrusively). In the worst cases, the advertisements become so aggressive that the computer is nearly impossible to use-- advertisements cover the screen at all times. Some advertisements are actually for various fake antivirus programs, mentioned earlier. These programs only serve to worsen the infection, and may even go as far as telling users that they are able to remove Vundo (when in fact they are Vundo).