My Epic Battle with the Vundo Trojan

[SplaTtzZ]

Bit of a silly post really but i just spent the last couple of hours trying to remove this thrice-damned trojan from my computer which was really starting to piss me off. I was kind of surprised though at the resilience of some viruses and trojans these days towards being removed. I unkowingly infected my computer when i downloaded a serial generator trying to start a network multiplayer game with a friend of mine. Since i refuse to buy another copy of a game i already own just to play on a LAN i needed a second key. The file i downloaded off some dodgy site was a .rar with a notepad fiel and an .exe called 'keygen'. I scanned the file twice with norton, both packed and unpacked and ran the .exe which promptly did nothing. I knew something was up then, but i first saw the effects when norton kept blocking access to trojan.vundo

 

Apparently this file shows pop-ups and sends your internet history away to some ip address. Norton kept blocking its attempts but refused to remove it even after doing a deep scan twice. Symantec basically describes it as 'easy to block, but very difficult to remove', and none of its custom removal tools were working. I ended up disabling it at startup using msconfig and deleting its registry entry, only to find that something kept creating a new entry over and over again. In fact, it kept creating a new dynamic link library file in the windows folder under different grabled names, and then creating an assoicated registry key. Form what i gather there are heaps and heaps of different .dlls it can create. In the end after continually deletign things and restarting my comp I went into safe mode, blocked network traffic, removed the startup entries, deleted any associated .dll's and wiped the registry entries out before restarting. So far so good as the file hasn't attempted to access the net anymore and there are no more registry keys or startup entries. Finger's crossed it remains that way

 

Maybe I'm just dumb and there's is an easy way to fix this problem but I was surprised at its resilience and the fact that very few programs and fixes I downloaded seemed to work. Anyone else had some crazy virus or trojan that was hard to kill? Maybe someone had the same problem as i did? if so I'd like to hear how you dealt with it.

 

Moral of the story: if you want to play LAN buy a second game and don't do the dodgy

[demagogue]

Yeah, I had this kind of problem.

Basically I went to a special forum dedicated to dealing with malware:

http://forums.spywareinfo.com/

 

You can read about my escapade if you want:

http://forums.spywareinfo.com/lofiversion/...php/t51518.html

 

I think they have a pretty solid system because these guys handle these problems over and over every day. You get a program called "Hijack This", run it, then post the log ... then one of the resident experts can read it and, pretty much no matter what it is, they'll know exactly what the problem(s) are from the log. Then they give you step by step instructions to get rid of it. Edit: As you can see the instructions they gave me were pretty elaborate, it was also a tenacious Trojan that had to have all its grabby tentacles cut and deleted in a special way before you could delete the trojan itself in another special way. But it got rid of it absolutely.

 

What I like about the site, beyond the generous help they give you, is the whole spirit of the place. You get the idea these guys despise malware with great passion. So it's good to see another face, a sympathetic human face, to cyberspace. They have training courses people can take to slowly but surely become resident experts. If I had the time & initiative, I think it'd be pretty cool to be trained to be a malware destroyer ... few things can bring out our humanity better than knowing how to make vicious malware go away for people that aren't technical, like my parents, it's like their greatest, sickening horror come-true that they will literally suffer from for days. And to make that go away for them, with simple step by step instructions, is like an act of pure compassion.

Edited January 3, 2008 by demagogue

[SplaTtzZ]

Great! Thanks for the advice mate I'll check that site out. The trojan actually has resurfaced again, despite all my attempts to kill it; so I'm actually formatting my computer right now. Hopefully that'll get rid of the bastard once and for all.

[Unstoppable]

Some trojans are just impossible to get rid of and do require formatting. Best to not search for serial keys in odds places if you already own the game. I recommend AVG free.grisoft.com. Norton uses a lot of system resources.

[sparhawk]

If you got caught by some virus or trojan, it might be a good idea to NOT install that porn access software again, that got it to you in the first place.

[Crispy]

If I had the time & initiative, I think it'd be pretty cool to be trained to be a malware destroyer ... few things can bring out our humanity better than knowing how to make vicious malware go away for people that aren't technical, like my parents, it's like their greatest, sickening horror come-true that they will literally suffer from for days. And to make that go away for them, with simple step by step instructions, is like an act of pure compassion.

I've slain a few viruses at work. They pop up every week or so. It's really not that rewarding.

 

'Course, we don't get anything tenacious, since we have Sophos installed everywhere and always 100% up to date, and it stops known malware from even being opened in the first place - no chance for it to get its tentacles in. Bit different to battling an entrenched hydra.

[SplaTtzZ]

Yeah formatted successfully and the trojan is gone as far as i can tell. No more attempts to connect to an ip address nor any popups etc.

 

A hydra is the perfect metaphor for it in the respect that it kept coming back in different ways despite deleting numerous files and entries. What really kind of freaked me out was after i thought it was gone and it tried to recconnect again; it must have been operating under a different set of registry entries (which i couldn't find) and it was no longer creating .dll's in the system32 folder but a temporary internet one. There was no startup entry either for it to run so i couldn't figure out how it was starting up. It was as though the trojan learned what i was doing to attack it and adopted new tactics.

 

Maybe it was doing those things all along and I'm just paranoid, a couple of times norton had deleted files in that same temporary internet folder; but the majority of the time it was system32. Added to this is the fact that there was no startup or registry keys that I could find, which was also weird. It's worrying that someone could code these programs to adapt in that way. it's like we're only one step away from uber-viruses destroying the planet or something

 

Still my bank account is ok and my computer didn't have anything important on it, and generally norton is ok; I rarely visit dangerous websites except in great need, i usually only get an intrusion from the phishing ones that attack when you mispell a URL and norton blocks those. I think it was because I didn't think and actually ran the executable that the trojan got in.

Edited January 4, 2008 by SplaTtzZ

[Unstoppable]

Instead of a serial key generator search for the serial key. It would be listed as text and requires no downloading. That's safer than downloading a file.

[demagogue]

Bit different to battling an entrenched hydra.

 

Yeah, it depends on your experience. My first experience was awful ... hours of running this and that program, thinking it's gone but then it comes back, then finally finding that site and being asked to do arcane things like deleting a file and stuff from the registry, reboot, run some 10kb file so I could then run killbox to delete the same file I already deleted again! ... then delete the same stuff I already deleted from the registry again ... reboot ... all the while crossing my fingers that this time it'll be gone. Blech!

Edited January 4, 2008 by demagogue