Vundo Changing Again!

Sunday, June 11, 2006, 13:42

This news item was posted in Malware category and has 0 Comments so far.

Seems as though our friends at virtumonde have gone a couple steps further in thrawting our attempts at removal.
Firstly they added code to change the clsid on every reboot and it is almost 100% random.
Secondly they have made a mutex that detects HijackThis’s running process hijackthis.exe and if it detects it, it hides itself from it. Renaming HijackThis.exe to any other name lets you see the BHO and Winlogon entries just fine.
Detection for this new variant, ShellImplRes.dll variant, is going to be difficult and I am currently working on it.
For the time being I have added code for manually adding a file to the list in VundoFix.exe. To add a file simply right click the list box (white box) in the main VundoFix window. Select “Add More Files?” from the menu that comes up. This will open a new VundoFix window where you can type or paste the extra filename(s), including the path, into and then click the “Add Files” button. Doing this will add the file to the list on the main VundoFix screen. Once you are done adding extra file(s) click the close window button to return to the main VundoFix window. Now continue with running vundofix in the normal way.
Atribune

Read more at atribune

Related posts brought to you by Yet Another Related Posts Plugin.

Tagged with: Malware

You can follow any responses to this entry through the RSS 2.0 feed.

You can leave a response, or trackback from your own site.

:::: Recent entries
Securing the code in Vista Hackers have blown the whistle on banking fees Twitter hacked through phishing Rural areas progress through IT Shift in budgets by IT companies Top 10 provider of CEH training K7 TotalSecurity now comes with “Pre-Installation Super Scanner’ Motorola got a jump on its CES announcements

Vundo Changing Again!

Leave a Reply