C:\WINDOWS\system32\tuvUnKAr.dll -> C:\WINDOWS\system32\tuvUnKAr.dll.vir
Oddly, it didn't simply delete it, but on the next reboot, the difference was night and day. The lag and constant hard drive activity the malware had introduced were gone. The virus warning popups were gone. Everything was back to normal. I ran Norton Antivirus one more time on the Windows folder to see what it'd find, and the renamed .vir file was still there, but it deleted it. In other words, Norton is useful once you've manually contained a virus. Great. What a piece of junk. However, to be fair, our research indicated that no other popular antivirus package, and very few anti-spyware or anti-adware programs could consistently handle Vundo properly either.
It was a nerve-wracking few hours while we worked this out, but thankfully it seems to have been resolved. The irritating thing is, the infected file was from someone who'd made good fixes in the past, and I thought I could trust them again. Perhaps the most troubling thing about it is that I ran numerous antivirus and anti-spyware scans directly on what I had downloaded prior to actually using it, and all scans came up negative. Guess you can never be too sure, and all the security software in the world still won't keep you safe all the time.
In addition, it doesn't always flag the right things. I had a "run in a window" mod (among others) for Grand Theft Auto: San Andreas that ran fine and created no problems on my system. For a long time, Norton didn't bat an eye at it. Then one day it cried wolf that the mod file was a trojan. Same thing happens with the entirely legit "scan.dll" in World of Warcraft when spotted by certain security programs, apparently.
Interestingly, I went back to the site I got the problematic "fix" from shortly after resolving the issue (I wasn't about to turn my Wi-Fi back on while I was infected), and the link for that fix was nowhere to be found. Guess someone else flagged it as malware and had it removed, and rightly so.
Lesson learned. Don't be too eager to download the newest and shiniest things on the Web unless they're from a source you can absolutely trust. And sometimes not even then.
Article comments
1 - El Bicho
very nice report. I am baffled at the minds of the creators of this junk, but then I am not mad at the world because I am a social misfit with a small penis. If caught, I'd give them the death penalty.
2 - Brian aka Guppusmaximus
Well... Aren't "fixes" for games that were d/l'ed illegally?? If that's the case then just how many of those sites can you trust? I wouldn't be surprised if you were vulnerable to viruses just by visiting those sites via scripts. This doesn't mean that trustworthy sites should be condemned for the practices of quite a few pirates and I would suggest actually purchasing said PC games.
3 - Mark Buckingham
Brian, way to show how much you don't know. Fixes, mods, call them what you will. There are TONS of them out there, and many of them on entirely legit sites. CounterStrike emerged originally as a mod for Half-Life. Was that piracy? No, but that's not to say it didn't have bugs in it. I even cited the "GTA run in a window" fix as another example of a legit fix potentially gone bad in the article itself. That certainly has nothing to do with the legality of my purchase.
Another type of common "fix" modifies games so they can be run without CDs/DVDs in the drive. It's a matter of convenience for many. Could people use those mods to pirate games? Probably. But there are also people who buy games legally and simply don't want to be pestered for the disc every time they play since it's only required for an initial disc-check, and not to run the game itself.
That's not to say that "hacker sites" or whatever you're alluding to don't have malware, but don't assume that every mod or fix or whatever for a game comes from some evil underground empire. It makes you look bad.
4 - Brian aka Guppusmaximus
Brian, way to show how much you don't know. Fixes, mods, call them what you will.
Please...I know plenty and part of that is knowing that "mods" & "fixes" are not the same. I don't plan on sharing my knowledge in a public forum.
5 - Mark Buckingham
Modification:
-an act or instance of modifying.
-the state of being modified; partial alteration.
-a modified form; variety.
Fix:
-a repair, adjustment, or solution, usually of an immediate nature
I think the word you're looking for (and implying) is "crack," which isn't what we're talking about here. Thanks for playing.
6 - Brian aka Guppusmaximus
No sh!t Sherlock! I wasn't implying anything about a crack because those are ONLY used for pirated software.
but don't assume that every mod or fix or whatever for a game comes from some evil underground empire.
Who was doing the implying and about what because,again, the ONLY intended purpose of a Crack (read #7) is to bypass security especially in pirated software.
Thanks for Playing...*ah-duh*
7 - Mark Buckingham
I've seen your comments elsewhere on BC, and they bring as little value to those conversations as they do here. You aspire to do nothing but antagonize and irritate, so you can argue with yourself from now on. I wonder...how long can a troll survive without an audience?
8 - Brian aka Guppusmaximus
I wonder...how long can a troll survive without an audience?
LMAO... Yea, I was wondering the same thing about ineffectual writers like yourself.
I mean, if my comments don't hold any value then your articles must surely be a waste of that massive carbon footprint you've been laying down for,what, 2 years now?!
Mark...Next time bow out gracefully and learn to take some criticism without sounding like a panzy.
Adios!
9 - Benihana
Well, I find it particularly useful to use Sandboxie. I run my FireFox through that now, because lately I've gotten the Vundo trojan twice, and I haven't a clue how. One time I was searching on google and all of a sudden I had a popup from the trojan.
At any rate. Sandboxie (www.sandboxie.com) is a wonderful program that has worked for me. It pretty much isolates running programs into "sandboxes", and if they start doing nasty things, then you can just delete the entire sandbox, and you're back to being fresh. :)
10 - Benihana
Oh, I'm sorry. I forgot to mention, I used Malwarebyte's Anti-Malware and it seemed to get rid of Vundo both times.
11 - Mark Buckingham
Thanks for the info and suggestions, Beni. Any methods for containing or removing these sorts of bugs are always welcome, as they're spreading more every day.
12 - Starr
Mark,
Thanks for the informative article. I caught this nasty little bugger tonight. When just trying to navigate in sites that had been up and running for a while, new URLs replaced where I was working, selling tee-shirts and other junk. I think I picked it up trying to get hints for a game I was playing that's been out for a couple of years (won't stop me from playing games, just trying to get hints :).
AVG caught it quickly and Malwarebytes showed 23 infected files and quarantined them. But I could not get the system to reboot properly. I finally downloaded and ran SuperAntiSpyware, which found and quarantined 39 infected files. So far so good!
The entire time that Malwarebytes was running, about an hour and twenty minutes, the screen kept blanking in and out. Fortunately I had the Malware icon on the left side since I couldn't log onto the Net or get to my programs menu.
Keep playing Games,
Starr
13 - Mark
I found that the best thing to do as soon as you think you might have a bug like this is to get your computer off the Internet and your LAN as quickly as possible to avoid downloading more crap or infecting other computers.
I've seen that SuperAntiSpyware thing advertised all over (often in sketchy popup windows), but with such a fanatically generic name, I thought it might be scamware.
14 - Connor
I had lots of trouble getting rid of this virus but I listed how I got rid of it on this page.