User:Jchayg1/sandbox

The Vundo Trojan (commonly known as Vundo, Virtumonde or Virtumondo, and sometimes referred to as MS Juan) is either a Trojan horse or a computer worm that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook. It also is used to deliver other malware to its host computers.[1] Later versions include rootkits and ransomware.[1]

Infection[edit]

A Vundo infection is typically caused either by opening an e-mail attachment carrying the trojan, or through a variety of browser exploits, including vulnerabilities in popular browser plug-ins, such as Java. Many of the popups advertise fraudulent programs such as AntiSpywareMaster, WinFixer, and AntiVirus 2009.

There are two main components to Virtumonde.dll which are Browser Helper Objects and Class ID. Each of these components is in the Windows Registry under HKEY LOCAL MACHINE, and the file names are dynamic. It attaches to the system using bogus Browser Helper Objects and DLL files attached to winlogon.exe, explorer.exe and more recently, lsass.exe.[2]