Got my first "real" virus (well, a trojan really) the other day. It came from a user-made fix for a game I was trying to get working. The virus was called Vundo, and while Norton Antivirus identified it once it was running, it couldn't do anything about it (as usual). Couldn't repair, delete, or quarantine it. I did some research and found out Vundo is particularly annoying and can be hard to get rid of. The first thing it does is go to the Web and start downloading spyware and malicious files, then makes unwanted shortcuts on your desktop and nixes your access to system resources and privileged areas like the command prompt, Control Panel, and editing the Registry. Coincidentally, when the virus-alert window initially popped up for me, the first thing I did was switch off my wireless connection so it had no access to anywhere outside my laptop. Instincts are good sometimes.
I kept getting messages complaining that I didn't have internet access (duh) even though I wasn't trying to do anything online (suspicious much?) and just clicked Work Offline. My girlfriend was able to do some looking around from her computer and found a bit of info on the situation. She found two programs that could supposedly remove it; one worked, one did nothing but waste a lot of time. I had her copy them to a thumb drive, then used that to copy them over. I wasn't getting on the LAN and risking infecting other computers on the network.
What the virus does is it makes a randomly named .dll in the C:\Windows\System32 folder (in my case, tuvUnKAr.dll) that runs in the background, but doesn't show up as a process, can't be killed (ended, terminated, whatever you want to call stopping a process), and is attached to both explorer.exe and winlogon.exe. Shutting off either of those prevents you from doing anything in Windows, like deleting the file. Clever.
The two programs I tried were found here. The first was VundoFix.exe, and all it did was run a thorough scan of a bunch of files in the Windows folder that amounted to nothing. It didn't find anything wrong or out of the ordinary. I also tried running it in Safe Mode with the same results.
The second much more quickly, and produced a wonderfully detailed log file right on the desktop (VBG.txt) of what it did. Basically it killed processes one by one while it was rebooting my computer, found the malicious bugger, and renamed the prickly file as follows:
Article comments
1 - El Bicho
very nice report. I am baffled at the minds of the creators of this junk, but then I am not mad at the world because I am a social misfit with a small penis. If caught, I'd give them the death penalty.
2 - Brian aka Guppusmaximus
Well... Aren't "fixes" for games that were d/l'ed illegally?? If that's the case then just how many of those sites can you trust? I wouldn't be surprised if you were vulnerable to viruses just by visiting those sites via scripts. This doesn't mean that trustworthy sites should be condemned for the practices of quite a few pirates and I would suggest actually purchasing said PC games.
3 - Mark Buckingham
Brian, way to show how much you don't know. Fixes, mods, call them what you will. There are TONS of them out there, and many of them on entirely legit sites. CounterStrike emerged originally as a mod for Half-Life. Was that piracy? No, but that's not to say it didn't have bugs in it. I even cited the "GTA run in a window" fix as another example of a legit fix potentially gone bad in the article itself. That certainly has nothing to do with the legality of my purchase.
Another type of common "fix" modifies games so they can be run without CDs/DVDs in the drive. It's a matter of convenience for many. Could people use those mods to pirate games? Probably. But there are also people who buy games legally and simply don't want to be pestered for the disc every time they play since it's only required for an initial disc-check, and not to run the game itself.
That's not to say that "hacker sites" or whatever you're alluding to don't have malware, but don't assume that every mod or fix or whatever for a game comes from some evil underground empire. It makes you look bad.
4 - Brian aka Guppusmaximus
Brian, way to show how much you don't know. Fixes, mods, call them what you will.
Please...I know plenty and part of that is knowing that "mods" & "fixes" are not the same. I don't plan on sharing my knowledge in a public forum.
5 - Mark Buckingham
Modification:
-an act or instance of modifying.
-the state of being modified; partial alteration.
-a modified form; variety.
Fix:
-a repair, adjustment, or solution, usually of an immediate nature
I think the word you're looking for (and implying) is "crack," which isn't what we're talking about here. Thanks for playing.
6 - Brian aka Guppusmaximus
No sh!t Sherlock! I wasn't implying anything about a crack because those are ONLY used for pirated software.
but don't assume that every mod or fix or whatever for a game comes from some evil underground empire.
Who was doing the implying and about what because,again, the ONLY intended purpose of a Crack (read #7) is to bypass security especially in pirated software.
Thanks for Playing...*ah-duh*
7 - Mark Buckingham
I've seen your comments elsewhere on BC, and they bring as little value to those conversations as they do here. You aspire to do nothing but antagonize and irritate, so you can argue with yourself from now on. I wonder...how long can a troll survive without an audience?
8 - Brian aka Guppusmaximus
I wonder...how long can a troll survive without an audience?
LMAO... Yea, I was wondering the same thing about ineffectual writers like yourself.
I mean, if my comments don't hold any value then your articles must surely be a waste of that massive carbon footprint you've been laying down for,what, 2 years now?!
Mark...Next time bow out gracefully and learn to take some criticism without sounding like a panzy.
Adios!
9 - Benihana
Well, I find it particularly useful to use Sandboxie. I run my FireFox through that now, because lately I've gotten the Vundo trojan twice, and I haven't a clue how. One time I was searching on google and all of a sudden I had a popup from the trojan.
At any rate. Sandboxie (www.sandboxie.com) is a wonderful program that has worked for me. It pretty much isolates running programs into "sandboxes", and if they start doing nasty things, then you can just delete the entire sandbox, and you're back to being fresh. :)
10 - Benihana
Oh, I'm sorry. I forgot to mention, I used Malwarebyte's Anti-Malware and it seemed to get rid of Vundo both times.
11 - Mark Buckingham
Thanks for the info and suggestions, Beni. Any methods for containing or removing these sorts of bugs are always welcome, as they're spreading more every day.
12 - Starr
Mark,
Thanks for the informative article. I caught this nasty little bugger tonight. When just trying to navigate in sites that had been up and running for a while, new URLs replaced where I was working, selling tee-shirts and other junk. I think I picked it up trying to get hints for a game I was playing that's been out for a couple of years (won't stop me from playing games, just trying to get hints :).
AVG caught it quickly and Malwarebytes showed 23 infected files and quarantined them. But I could not get the system to reboot properly. I finally downloaded and ran SuperAntiSpyware, which found and quarantined 39 infected files. So far so good!
The entire time that Malwarebytes was running, about an hour and twenty minutes, the screen kept blanking in and out. Fortunately I had the Malware icon on the left side since I couldn't log onto the Net or get to my programs menu.
Keep playing Games,
Starr
13 - Mark
I found that the best thing to do as soon as you think you might have a bug like this is to get your computer off the Internet and your LAN as quickly as possible to avoid downloading more crap or infecting other computers.
I've seen that SuperAntiSpyware thing advertised all over (often in sketchy popup windows), but with such a fanatically generic name, I thought it might be scamware.
14 - Connor
I had lots of trouble getting rid of this virus but I listed how I got rid of it on this page.
15 - Dolphin
I just noticed through 'StopZilla' that I have 4 Vundo.S Trojan/Adware files in my system! I have downloaded 'Advanced System Care' and 'AdAware' and they did a great job finding all kind of viruses and whatnot but I when I run scans with these and Norton it comes up blank like I don't have a problem! There was something keeping me from updating my Norton as well (which is scary because it helps out a bunch when it comes to worms) and my whole computer would freeze up and there would be a strange box at the bottom right hand corner. That only happened a few times but I didn't know a Vundo could do something like that! I found that my registry was being messed with and I when I was watching some movies online I would get ads for say the new Twilight movie blaring over the sound with no program up! I'm so glad these Vundo things are gone, StopZilla actually found them for me for free (surprised me!)
I hear that Kaspersky is a good protection for trojans, etc. but I haven't tried it yet afraid that it's just another Norton and for 70 bucks it's a big commitment. heh, I think I'll still to freebies :)
16 - Mark Buckingham
I've been pretty happy with Avast, MBAM, Spybot, and SuperAntiSpyware, tho we've encountered a few bugs at work (Backdoor.bot among them) that are really persistent. Still, many can be removed without formatting your hard drive, so if your computer person says "we have to wipe it" after only a brief examination of the system, s/he likely doesn't want to put in the time to surgically remove the problem.