Vundo


Vundo, or the Vundo Trojan (also known as Virtumonde or Virtumondo and sometimes referred to as MS Juan) is a Trojan horse that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook.


Infection

A Vundo infection is typically caused either by opening an e-mail attachment carrying the trojan, or through a variety of browser exploits, including vulnerabilities in popular browser plug-ins, such as Java. Many of the popups advertise fraudulent programs including (but not limited to) Sysprotect, Storage Protector, AntiSpywareMaster, WinFixer, AntiVirus 2009, AntiVirus 360, and Virus Doctor (not to be confused with Spyware Doctor). There are two main components to the Virtumonde.dll file: Browser Helper Objects and Class ID. Each of these components are in the Windows Registry under Local Machine, and the file names are dynamic. It attaches to the system using bogus Browser Helper Objects and DLL files attached to Winlogon and Explorer.exe. Some recent variants have begun attaching to lsass.exe instead of winlogon.exe.[1] According to Spybot - Search & Destroy scans, there are two Virtumonde.prx files and one Virtumonde.dll file located in the Windows Registry as well as the system32 directory.[2] The hosts file may also have an entry for browser-security.microsoft.com.

Source