Vundo or Virtumonde in a PC running Windows 98

[DavidR]

Whilst checking the hosts file is advisable, that would only block access to the site but shouldn't cause the browser to be terminated.

What browser is your father using ?
I suggest a change of browser, whilst that might not turn up many browsers that support win98, there should still be the last firefox 2.xx available as 3.0 and 3.5 won't work. Then you can check if it is browser related.

[Compaq]

He's running Netscape 7, and it worked perfectly until a few day ago, when all of a sudden it started to refuse anything related to Wikipedia. I have the latest release of Firefox 2 on my PC, and I wish to install it on my father's PC too, but I wanted to be sure there isn't any malware around before... I am quite concerned about installing a new browser on a PC already infected...    :'(

[DavidR]

Well unless it is a file infecter then the potential for infecting browser files when installed is much reduced. Not to mention you have little choice to test the theory that Netscape 7 has been hacked.

You could also try uninstalling Netscape, rebooting and re-installing it, but if exploited/hijacked once it is likely that it could happen again.

I was thinking that your father may have been using IE, which given the OS would be a very old version and more vulnerable to attack.

[Compaq]

OK, I told him to empty Spybot's quarantine, just to begin sweeping away some junk. Then I think to install/run SAS. In case of negative outcome, I would install Firefox and see what happens. I would not uninstall Netscape because he needs the Email client "section" of it anyway (Firefox is a pure browser). I can't see anything more to do at the moment... 

[DavidR]

Yes, I would say that you are now on a monitoring watch to see if this issue presents itself in firefox, fingers crossed.

[Compaq]

Tried to install SAS, but it crashed... reported unable to register some DLL due to "old Windows version"...  But in the system requirements they claim that SAS is compatible with WIN98/SE (my father and I both have the same version 4.8.2222A)...    Well, at this point I feel forced to skip the SAS passage and go directly for Firefox... 

[DavidR]

I'm afraid you are going to continually bump into things like this with win98 as less and less programs will support it and many of the tools to try and clean malware are going to be the same.

I thought that SAS was meant to be compatible with win98, seems not so in your case.

It is possible that this could be a form of malware blocking as is common in some malware, but I don't know if that is the case here.

[Compaq]

[PART 1]

In the hope not only to get some help, but to help others in the same situation, I'm trying to give an accurate report of what happened today.

After one last update of Avast's virus data file, and one last scan which reported nothing, I installed (from CD) the latest version of Firefox compatible with Windows 98 (V2.0.0.20). I ran it just to get the last updates from Mozilla, and to verify whether the "Wikipedia thing" continued to happened: it was gone, Wikipedia opened perfectly.

[from now on I would use a "should-be" English translation of Firefox functions and buttons, since I have the Italian version of Firefox and I'm not 100% sure of the word they used in the English version]

I opened the Options menu in Firefox, set the Popup stop, but when I opened the list of "Exceptions" (allowed sites) for the poopup blocker, I had two bad surprises: 1) the "Exceptions" list was absurdly slow in opening (about 20 seconds, on my PC it's instantaneous), and 2) despite it was Firefox's first run, the list of popup "Exceptions" was ALREADY FILLED IN with HUNDREDS of sites like XXX, porn, gambling etc... 

I clicked the "Remove All" button, saved the changes, closed and restarted Firefox and... the "Exceptions" list was NOT totally empty.  There was ONE entry in the list, "hausaufgaben". I deleted that only entry, saved the changes, reopened the Exceptions list (either restarting or not Firefox, it was just the same) and that "hausaufgaben" entry had been recreated... 

Both Avast and Spybot gave a "nothing found" outcome...

At this point, I ran REGEDIT and exported the Register, and I found something which, not my knowledge but my nose, definitely says should NOT be there: but I can's say whether it's related or not to the "hausaufgaben" entry being continuously recreated.

I cannot post the whole exported Register as it's huge. If it can be of any usefulness, I can ZIP and send it privately.

This is the BEGINNING of the first of the two sections of the Register containing the AD/XXX entries:


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
@=""
"Trusted"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\007guard.com]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\007guard.com\www]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\007guard.com\install]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\007guard.com\www.install]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\007guard.com\the]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\007guard.com\www.the]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\008i.com]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\008k.com]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\008k.com\www]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\00hq.com]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\00hq.com\www]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\010402.com]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\032439.com]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\032439.com\www]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\032439.com\80gw6ry3i3x3qbrkwhxhw]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\100888290cs.com]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\100888290cs.com\www]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\100888290cs.com\mir]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\100888290cs.com\woool]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\100sexlinks.com]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\100sexlinks.com\www]
"*"=dword:00000004
.
.
.
.
...etc etc...


I would know what does the first key value mean: "Trusted"="1"
It implies that all the following sites are TRUSTED?...

[Compaq]

[PART 2]

OK, scrolling down the HKEY_LOCAL_MACHINE part, we reach the "hausaufgaben" thing:

.
.
.
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hardpornmpg.com]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hardwareseek.net]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\harukaigawa.com]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hastalavista.com]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hastalavista.com\www]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hausaufgaben.de]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hausaufgaben.de\www]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hausaufgaben-referate.de]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hausaufgaben-referate.de\www]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hausaufgaben–referate.de]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hausaufgaben-server.com]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hausaufgaben-server.com\www]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\havy.biz]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hazzetta.it]
"*"=dword:00000004
.
.
.
...etc etc etc...


Then we come to the HKEY_USERS part of the Register, where the tune repeats once again... this is the beginning:


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
@=""
"Trusted"="1"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\05p.com]
"*"=dword:00000004

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmiracle.com]
"*"=dword:00000004

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmiracle.com\www]
"*"=dword:00000004

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clickspring.net]
"*"=dword:00000004

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clickspring.net\www]
"*"=dword:00000004

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mt-download.com]
"*"=dword:00000004

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mt-download.com\www]
"*"=dword:00000004

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\my-internet.info]
"*"=dword:00000004

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\scoobidoo.com]
"*"=dword:00000004

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\babe.the-killer.bz]
"*"=dword:00000004

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\babe.k-lined.com]
"*"=dword:00000004

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\did.i-used.cc]
"*"=dword:00000004

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwwwsearch.com]
"*"=dword:00000004
.
.
.
...etc etc...


The names of the sites aren't the same (or at least aren't in the same order), but the values of the keys are identical, and the first line, again, says "Trusted"="1"... What does this mean?

Scrolling down, we get to the hausaufgaben thing:


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hardpornmpg.com]
"*"=dword:00000004

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hausaufgaben.de]
"*"=dword:00000004

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hausaufgaben.de\www]
"*"=dword:00000004

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hausaufgaben-referate.de]
"*"=dword:00000004

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hausaufgaben-referate.de\www]
"*"=dword:00000004

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hausaufgaben–referate.de]
"*"=dword:00000004

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hausaufgaben-server.com]
"*"=dword:00000004

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hausaufgaben-server.com\www]
"*"=dword:00000004

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\herocodec.com]
"*"=dword:00000004

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\herocodec.com\www]
"*"=dword:00000004


What the hell is happening there?... And, especially, what can I do at this point?...  :'(

[oldman]

Spybot put them there.


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hardpornmpg.com]
"*"=dword:00000004

The 00000004 means they are in the Restricted Zone.


http://forums.spybot.info/showthread.php?t=2367

[Compaq]

Okay but... there's always that entry in Firefox's popup exceptions list that is rebuilt every time I delete it... and there is the ABNORMAL TIME Firefox takes to open that simple list, about 20 seconds! That's not normal. My feeling is that there is (obviously) something interfering with the normal operation of Firefox 

[Compaq]

More info... this was a thread in the Mozilla support forum where, last year, a few users were dealing whit the same issue:

http://support.mozilla.com/tiki-view_forum_thread.php?locale=it&comments_parentId=57357&forumId=1

Apparently no one got any helpful answer at the time.
Today, some kind soul in that forum told me:

Hunted down the cause of this and intentionally infected win98 in a virtual machine with it. There is no way to undo this infection.

You are infected with a polymorphic file infector. This infection can and will infect all the machine's executable files .exe, .scr, .rar, .zip, .htm, .html

Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain .exe, .scr, .rar, .zip, .htm, .html files.

But he didn't give me any more detail about the threat, a name, some clue... It's so strange that something that has been around 1yr+ can't be better addressed (not to mention the fact that it escapes Avast and Spybot!).

If possible, could someone give me some more detail please?..

Thank you!

[YoKenny]

By using Search on Vundo you will find:
Removal of latest vundo-fake av scanner very difficult....
http://forum.avast.com/index.php?topic=44550.0

[Compaq]

By using Search on Vundo you will find:
Removal of latest vundo-fake av scanner very difficult....
http://forum.avast.com/index.php?topic=44550.0

But, then, is Vundo the bug my father is dealing with?...  I started the thread assuming it was Vundo/Virtumonde, but I could have been wrong. The user who made the test ("...polymorphic file infector...") did NOT state it was Vundo! 

[DavidR]

Polymorphic, is as the name suggests, ever changing so very difficult to detect and much harder to repair the damage done.

It sounds more like Virut or Vitro given the files it is infecting.

This is some stuff from a while ago, so may not be up to date for current variants (but should give an idea of what it is):
-- Virut - Virtob - http://www.hm2k.com/posts/win32-virtob-virut-removal and http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html#IDComment15344616
.

Virut is a Polymorphic File Infector that infects .EXE and .SCR files. It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker - for example to download/run more malware on the compromised computer. Emails may be harvested as well.
This latest variant may also search for htm, html, asp and php files on the drives and modifies them by inserting an iframe that points to a malicious website. So you can already imagine what may happen if the owner is a webdesigner and uploads the infected webpages.

Also see, http://www.microsoft.com/security/portal/Entry.aspx?Name=Virus%3aWin32%2fVirut.BM and http://support.microsoft.com/kb/222473.
Try this Virut Removal Tool, this Win32/Virut Remover 1.2.0.342 8th Aug 2008 version, though that link should take you to the latest version.

- General Virut advice (the bad news) and other links by essexboy, see http://forum.avast.com/index.php?topic=43272.msg406710#msg406710 infects (*.exe *.scr *.htm *.html *.xml *.zip *.rar *.doc *.jpg *.pdf).