Vundo

Vundo Description

Vundo is an extremely dangerous Trojan, and Vundo has the potential to be extremely destructive. Often, the only thing you can do is protect your computer from getting Vundo in the first place, by taking proper preventative measures. Once Vundo has infected your PC, it may be impossible to remove, depending on which version of the Trojan is causing the infection. Vundo is also known as MS Juan, Virtumonde, and Virtumundo.

How Can You Tell if Vundo has Infected Your Computer?

Depending on which variety of Vundo infects your PC, you may or may not notice any symptoms. Primarily, Vundo's purpose is to generate advertisements, which usually promote fake anti-virus software such as WinFixer, AntiVirus 2009, AntiSpywareMaster, SysProtect, and WinAntiSpyware, WinAntiVirus, System Doctor, and Drive Cleaner, among others. Therefore, it is common for Vundo to cause pop-up alerts that say that your computer is infected with some kind of malware and that you should remove Vundo using a certain rogue security program. In general, Vundo has a strong connection to rogue security applications. Vundo always promotes at least one or two of these fake security programs once Vundo is installed; also, Vundo may come bundled with the downloads of some fake anti-virus programs.

Vundo's Downloading and Information-Stealing Capabilities

A common problem with Vundo is that Vundo can download other files. That is one of the reasons that Vundo is sometimes identified as a Trojan Downloader. (Otherwise, Vundo is often categorized as a File Dropper.) Sometimes, the other files that Vundo downloads are malicious, such as updates to the Vundo malware, or additional components that will allow Vundo to do greater harm. Other times, it may be difficult to determine what Vundo is downloading, since the files downloaded may be relatively arbitrary.

Other greater concern than Vundo's downloading capability is Vundo's ability to steal and upload information. Vundo is known to collect information from your computer and send it to a remote server. will look for any email login information and account information that you have saved in any email programs you use (especially targeting Outlook Express), Vundo will try to gather account information for any other Windows-based account Vunco can find on your PC, and Vundo will try to squeeze information out of the operating system itself. Vundo will record and report which version of Windows you're using, when you installed it, what your keyboard layout is, who the registered owner is, and even what is in the crash log. Furthermore, Vundo will try to steal information about your network adapter, and your MAC address. If a piece of information is potentially useful to some malicious person who spreads Vundo, and that information is accessible through the Windows operating system, Vundo will try to steal it.

More Changes Caused by Vundo

Vundo also disrupts Internet usage in a variety of ways. Vundo blocks .mil and .gov sites entirely, and Vundo causes redirections when you try to visit a variety of other websites. Vundo is known to block Google, Hotmail, and Facebook, making it so that you can't navigate to them at all. Additionally, for certain sites that might normally display pop-up advertisements, Vundo disables their pop-ups. Occasionally, Vundo may cause the infected computer to be unable to get online at all. Also, Vundo is known to delete the Network Places icon from My Computer.

On top of all of this damage, and in order to cause all of this damage, Vundo makes a huge number of changes to the infected computer. In particular, Vundo makes a copious amount of changes to the Registry, some are: turn off features that would threaten its presence, gives itself access to certain things, hides some files, and sets itself up to run when Windows starts – among many, many other things. Vundo typically cannot be removed by using Task Manager, Regedit, or msconfig, because Vundo disables all of them. Depending on whether Vundo hooks into the Winlogon service or lsass.exe, Vundo may cause Winlogon to access the hard drive so constantly that the disk perpetually cycles up and down, causing the system to freeze. Vundo is also capable of causing Explorer to go into an infinite reboot loop, where Windows can never fully load, and the system keeps shutting down and restarting.

If you've ever heard of the Blue Screen of Death, Vundo's use of the Blue Screen of Death takes the cake. Vundo can change your screen saver to an image of the Blue Screen of Death, and Vundo may also change your desktop wallpaper. You will be unable to delete the files for these, even though you may be able to locate them in Windows. Furthermore, Vundo is sometimes known to cause a Blue Screen of Death from which there is no recovery, because there is no way to fix it except to reinstall Windows. (This is reportedly associated with the use of HijackThis to try to find all of the changes that have been made to a computer by Vundo.) Generally, Vundo is capable of disabling or deleting almost anything in Windows, once Vundo has rooted itself in the system. Vundo can even disable Windows Updates.

Where Does Vundo Come From, and How it Spreads?

As previously mentioned, Vundo is a Trojan. That means that Vundo does not spread itself; Vundo is not, strictly speaking, a virus. In order to get Vundo, you have to download Vundo, and realistically, that means that you have to be tricked into downloading Vundo. So, Vundo is frequently hidden in spam email attachments, and bundled with downloads from peer-to-peer services and pirating sites. Vundo may also be installed via drive-by-download, by exploiting a security hole in old versions of Java, among other methods.

Vundo mostly infects computers in the United States. Vundo has been around since 2004, but Vundo is more dangerous now than ever, because with time Vundo has grown, evolved, and incorporated new elements. Two people are blamed for creating Vundo, supposedly just for the purpose of causing chaos, and they are known as "Hirishima" and "#[TTEH]Germany." As Vundo grows and changes, the best way to protect yourself is to keep Windows and your anti-malware software up-to-date, and to avoid pirating and file sharing sites or services. That vigilance is a small price to pay compared to what Vundo can do to your computer once Vundo finds a way into the system.

Aliases: Gen:Variant.Kazy.1186 [MicroWorld-eScan], Artemis!B83115B560BF [McAfee], Trojan [K7AntiVirus], Troj_Generic.HVFPO [Norman], TROJ_GEN.R28CDC1 [TrendMicro-HouseCall], Win32:Rootkit-gen [Rtk] [Avast], Mal/Vundo-AJ [Sophos], Trojan.Win32.Generic.pak!cobra [VIPRE], TR/Kazy.1186.4 [AntiVir], Gen:Variant.Kazy.1186 (B) [Emsisoft], W32/Backdoor.NVDQ-2921 [Commtouch], Trojan/Win32.Vundo [AhnLab-V3], Suspicious.Cloud.7.F [PCTools], Virus.Win32.Vundo [Ikarus] and W32/SpyVoltar.A!tr [Fortinet].

Do You Suspect Your PC May Be Infected with Vundo & Other Threats? Scan Your PC with SpyHunter

SpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like Vundo as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Note: SpyHunter's scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. Free Remover allows you to run a one-off scan and receive, subject to a 48-hour waiting period, one remediation and removal. Free Remover subject to promotional details and Special Promotion Terms. To understand our policies, please also review our EULA, Privacy Policy and Threat Assessment Criteria. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?

Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.
If you still can't install SpyHunter? View other possible causes of installation issues.

Technical Information

File System Details

Vundo creates the following file(s):
# File Name Size MD5 Detection Count
1 %WINDIR%\system32\riborika.dll 57,344 2ddc88ca710a0f8743f900be4ed3e348 8
2 %TEMP%hgfeca.dll 108,032 cf17205f23a88fb58fc805475bfdc533 4
3 %PROGRAMFILES%\donkeytb\updatecheck.exe 90,112 118d7d4133c84523bc35a863e51d5566 4
4 %TEMP%gvzleg5r.exe 157,184 81b6ec76b0b313b04d0c576333ab3e4a 3
5 %TEMP%vturpn.dll 88,576 08cfd69d98151b107b2c8ce6b485c896 3
6 %WINDIR%\system32\mmcprf.dll 488,960 bdaa0397521746b794f62b6e7804c7f3 2
7 %WINDIR%\system32\sidebar32.exe 113,792 c358e170f8c6525dbbc3bcf164eb9d40 2
8 %WINDIR%\TEMP\de6z7w05.exe 122,880 b83115b560bfd3f10859df478160a1cf 1
9 %ALLUSERSPROFILE%\nasijuye\nasijuye.dll 96,256 0eee3356df22a461239638218eaf45c7 1
10 fcccyVPi.dll 320,000 e0f5b8906a28841b8ad22c3bef9f07bc 0
11 jrclpn.dll 129,024 1ba00dcf04f08eb26f3be8afcc6c0746 0
12 ligamosa.dll 109,056 0837aaf418c3cd1f4ea351b69aa84ced 0
13 pmnlmmNF.dll 273,408 cefb15361b309e3ef13275f36766aef9 0
14 rqRHaXRk.dll 272,384 3a9f6a0eaffef39adee5a168b299d22c 0
15 yamanewa.dll 99,116 74063d18658d42c376a3b09ebbac7902 0
More files

Registry Details

Vundo creates the following registry entry or registry entries:
HKEY..\..\{Value}
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, value: {06EEE729-30EC-4480-A5D2-89BB99A618FA}
Software\Microsoft\Internet Explorer\URLSearchHooks, value: {B6C621ED-821B-4311-4EF1-ACA0C115E707}
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, value: mgsvflkw
Microsoft\Windows NT\CurrentVersion\Winlogon\Notify, value: yayvtsp
software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, value: {1C72F7D4-A286-4B60-BDAD-438982FBB771}
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, value: {BE0FF150-C7FC-4E37-8F92-4E9AF1389238}
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, value: {F1C5B241-BFBE-4CFC-99A4-76823ADF23F6}
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, value: {1CF662BF-4AFD-4778-8306-1F0EB8284EBB}
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, value: {76CFB752-E1B5-45E5-871F-E696B997FFB1}
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, value: {48F2A76C-BCC4-4D15-97AC-2C78BC84CB45}
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, value: {C7BBDD18-4BD1-416D-877A-4EDB566A0054}
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, value: {C16CDB5C-2468-4116-AD60-868CA1368FA1}
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, value: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, value: SSODL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\..{RunKeys}
PrintDrive
{9B-B6-64-4C-ZN}
j7251636
Xri
mjdsregl.exe
ApachInc
{32-2B-B3-32-ZN}
mlwfltyj.dll
j9221031.dll
mjdsregs.exe
Qgh
Roogpcg
Uninstall_CToolbar
lolgrmra.exe
{B5-54-43-3D-ZN}
{B9-92-26-69-ZN}
mndsregp.exe
tmp5B.tmp.exe
{B1-1B-B5-58-ZN}
rkqqm.exe
msdsregm.exe
{FA-AA-A9-90-ZN}
dwdsregt.exe
j0221833
MemoryManager
TISKY009.exe
bwtwhehq.exe
Dklvf
rs2R3ph
uzvdfo
pfrnnzxA
diclwdyA
{74-49-9C-CD-ZN}
{D6-6B-BA-A5-ZN}
{62-24-47-7E-ZN}
MSOffice
horymywe
{AC-CA-A5-5A-ZN}
6B95DB4F
zzb
mevega
msccrt
MsIMMs32
MsIMMs32.exe
mppds
mppds.exe
Bat Wave Base Dale
Kvsc3
ownsuser
AVPSrv
{09-93-30-07-ZN}
Microsft Windows Adapter
{FC-CD-D6-62-ZN}
abypofwh
{A0-08-87-75-ZN}
ybkjufcz
epmbkfcz
buvwfklw
Microsft Windows Adapter 5.1.3013
{17-79-92-28-ZN}
Microsoft Windows Adapter 5.1.3214
Tapicfg.exe
The following CLSID's were found:
HKEY..\..\{CLSID Path}
{0843B602-E7DF-43D4-A68A-CD57AA7504BA}
{086f7b54-2ca1-4f41-beee-2dfd4e43c750}
{123b62fe-b732-4f2b-9113-be756ab2afb2}
{2236d1ca-6b18-4c56-b402-d45d812c4187}
{2497288a-b7fd-495e-9c51-3dd8e0e6bb48}
{287F4B2E-CE09-433F-A114-756EA51CD91A}
{2bc001c5-63f1-46ff-9138-2ec687eda471}
{310CEF0B-1E4E-44FE-BB3E-E2DA4BC8CF91}
{402f36c6-7287-4663-8622-f0c1ba50d006}
{41FED73A-D04E-459C-90FE-BA391B6E4686}
{43a7cc74-42e8-4b0c-8985-817513e9f31e}
{48ae78c4-2ec2-4cb9-9d92-bc729a49718a}
{49B63F51-4116-4BF7-A2CD-EE58F776AF07}
{4FE8A666-40D2-4A06-A338-6EE341C8FFB9}
{51E30BDC-0E41-4AED-8FBE-7813CB42497B}
{52CC18CF-8BC9-434E-9885-7A8DC2F49E49}
{581be782-64c8-4434-a150-3c28747f2abd}
{5867BD51-2C0B-4160-9B9E-0C1D09298758}
{5FCB5CD8-F7BD-4A71-A870-6B80DE1DC857}
{610F87CB-9244-6179-D493-1006C8942C74}
{677980DC-F409-4E28-82DA-F0ED21D12104}
{67DAF2C9-E1C7-4F39-8D31-308033BF783A}
{6E245D87-17DC-4AF5-BCD5-7C29CEAF0EE1}
{73D7D3A8-0F2E-45B1-9707-CE9800E4B221}
{87d0d4c2-102f-4982-8abb-51605a7887fc}
{92a44a16-c56a-4506-b5cd-6fe05bdbe182}
{950E1E39-86DF-A75B-8A0E-FEADA99026C1}
{95591C64-DE8C-F35C-8A0E-FEADA99029C4}
{95e1c610-3681-43cc-87a4-5cb151c0ea31}
{9EE7369A-04FE-4BCE-B3B1-B419D3DE29CB}
{A5BF49A2-94F1-42BD-F434-3604812C807D}
{A98B74B3-3120-4334-9549-E52C99EB2DAF}
{AA9B2A35-386E-4F4E-8039-B3FD71ED5699}
{ae6320f6-c9a4-4161-a31b-93fd86e7f53e}
{af6a817c-7ccf-42f4-a83e-7659bd31c3fb}
{B2B4ADCA-8F2E-4C3F-A3B5-DC222D9B5D99}
{b42cd578-fedc-4295-8191-a688d8d82c6c}
{B6C621ED-821B-4311-4EF1-ACA0C115E707}
{B8645816-40A9-4704-B552-99DD71ED339E}
{BB9EE723-262E-4F2C-83C2-DD4DAB4DCBF5}
{bcdad886-d2a2-4cf0-a1d8-da007a530515}
{BD55E693-059F-4788-9C79-5D40456AAEE4}
{BDD8F083-948A-422E-8479-F4F213052EB3}
{be479701-7f21-4aad-a9a7-4623b44f44ec}
{C85195D8-8617-4CD3-815E-DBF7D2701A66}
{C87AEA51-C5B8-4BAD-813B-033EBA98954B}
{d83d605f-417b-431d-945c-0ce9012fa282}
{d9ef81f4-7ef4-45e3-9dce-0165deb28940}
{dd02a4eb-4afd-4d60-99d8-e67f964ca813}
{f12aa50a-a033-4dd6-a337-9d31d83212f2}

Related Posts

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their PC with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your PC. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

One Comment

  • Body Building Workouts:

    Valuable info. Fortunate me I found your website accidentally, and I'm surprised why this coincidence didn't came about earlier! I bookmarked it.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.