Vundo Description

Vundo is an extremely dangerous Trojan, and Vundo has the potential to be extremely destructive. Often, the only thing you can do is protect your computer from getting Vundo in the first place, by taking proper preventative measures. Once Vundo has infected your PC, it may be impossible to remove, depending on which version of the Trojan is causing the infection. Vundo is also known as MS Juan, Virtumonde, and Virtumundo.

How Can You Tell if Vundo has Infected Your Computer?

Depending on which variety of Vundo infects your PC, you may or may not notice any symptoms. Primarily, Vundo's purpose is to generate advertisements, which usually promote fake anti-virus software such as WinFixer, AntiVirus 2009, AntiSpywareMaster, SysProtect, and WinAntiSpyware, WinAntiVirus, System Doctor, and Drive Cleaner, among others. Therefore, it is common for Vundo to cause pop-up alerts that say that your computer is infected with some kind of malware and that you should remove Vundo using a certain rogue security program. In general, Vundo has a strong connection to rogue security applications. Vundo always promotes at least one or two of these fake security programs once Vundo is installed; also, Vundo may come bundled with the downloads of some fake anti-virus programs.

Vundo's Downloading and Information-Stealing Capabilities

A common problem with Vundo is that Vundo can download other files. That is one of the reasons that Vundo is sometimes identified as a Trojan Downloader. (Otherwise, Vundo is often categorized as a File Dropper.) Sometimes, the other files that Vundo downloads are malicious, such as updates to the Vundo malware, or additional components that will allow Vundo to do greater harm. Other times, it may be difficult to determine what Vundo is downloading, since the files downloaded may be relatively arbitrary.

Other greater concern than Vundo's downloading capability is Vundo's ability to steal and upload information. Vundo is known to collect information from your computer and send it to a remote server. will look for any email login information and account information that you have saved in any email programs you use (especially targeting Outlook Express), Vundo will try to gather account information for any other Windows-based account Vunco can find on your PC, and Vundo will try to squeeze information out of the operating system itself. Vundo will record and report which version of Windows you're using, when you installed it, what your keyboard layout is, who the registered owner is, and even what is in the crash log. Furthermore, Vundo will try to steal information about your network adapter, and your MAC address. If a piece of information is potentially useful to some malicious person who spreads Vundo, and that information is accessible through the Windows operating system, Vundo will try to steal it.

More Changes Caused by Vundo

Vundo also disrupts Internet usage in a variety of ways. Vundo blocks .mil and .gov sites entirely, and Vundo causes redirections when you try to visit a variety of other websites. Vundo is known to block Google, Hotmail, and Facebook, making it so that you can't navigate to them at all. Additionally, for certain sites that might normally display pop-up advertisements, Vundo disables their pop-ups. Occasionally, Vundo may cause the infected computer to be unable to get online at all. Also, Vundo is known to delete the Network Places icon from My Computer.

On top of all of this damage, and in order to cause all of this damage, Vundo makes a huge number of changes to the infected computer. In particular, Vundo makes a copious amount of changes to the Registry, some are: turn off features that would threaten its presence, gives itself access to certain things, hides some files, and sets itself up to run when Windows starts – among many, many other things. Vundo typically cannot be removed by using Task Manager, Regedit, or msconfig, because Vundo disables all of them. Depending on whether Vundo hooks into the Winlogon service or lsass.exe, Vundo may cause Winlogon to access the hard drive so constantly that the disk perpetually cycles up and down, causing the system to freeze. Vundo is also capable of causing Explorer to go into an infinite reboot loop, where Windows can never fully load, and the system keeps shutting down and restarting.

If you've ever heard of the Blue Screen of Death, Vundo's use of the Blue Screen of Death takes the cake. Vundo can change your screen saver to an image of the Blue Screen of Death, and Vundo may also change your desktop wallpaper. You will be unable to delete the files for these, even though you may be able to locate them in Windows. Furthermore, Vundo is sometimes known to cause a Blue Screen of Death from which there is no recovery, because there is no way to fix it except to reinstall Windows. (This is reportedly associated with the use of HijackThis to try to find all of the changes that have been made to a computer by Vundo.) Generally, Vundo is capable of disabling or deleting almost anything in Windows, once Vundo has rooted itself in the system. Vundo can even disable Windows Updates.

Where Does Vundo Come From, and How it Spreads?

As previously mentioned, Vundo is a Trojan. That means that Vundo does not spread itself; Vundo is not, strictly speaking, a virus. In order to get Vundo, you have to download Vundo, and realistically, that means that you have to be tricked into downloading Vundo. So, Vundo is frequently hidden in spam email attachments, and bundled with downloads from peer-to-peer services and pirating sites. Vundo may also be installed via drive-by-download, by exploiting a security hole in old versions of Java, among other methods.

Vundo mostly infects computers in the United States. Vundo has been around since 2004, but Vundo is more dangerous now than ever, because with time Vundo has grown, evolved, and incorporated new elements. Two people are blamed for creating Vundo, supposedly just for the purpose of causing chaos, and they are known as "Hirishima" and "#[TTEH]Germany." As Vundo grows and changes, the best way to protect yourself is to keep Windows and your anti-malware software up-to-date, and to avoid pirating and file sharing sites or services. That vigilance is a small price to pay compared to what Vundo can do to your computer once Vundo finds a way into the system.

Aliases: PSW.Generic10.BYML [AVG], W32/SpyVoltar.A!tr [Fortinet], Virus.Win32.Vundo [Ikarus], Suspicious.Cloud.7.F, Trojan/Win32.Vundo [AhnLab-V3], W32/Backdoor.NVDQ-2921, Gen:Variant.Kazy.1186 (B), TR/Kazy.1186.4 [AntiVir], Trojan.Win32.Generic.pak!cobra, Mal/Vundo-AJ [Sophos], Win32:Rootkit-gen [Rtk] [Avast], TROJ_GEN.R28CDC1, Troj_Generic.HVFPO, Trojan [K7AntiVirus] and Artemis!B83115B560BF [McAfee].

Technical Information

File System Details

Vundo creates the following file(s):
# File Name Size MD5 Detection Count
1 %WINDIR%\system32\riborika.dll 57,344 2ddc88ca710a0f8743f900be4ed3e348 8
2 %TEMP%hgfeca.dll 108,032 cf17205f23a88fb58fc805475bfdc533 4
3 %PROGRAMFILES%\donkeytb\updatecheck.exe 90,112 118d7d4133c84523bc35a863e51d5566 4
4 %TEMP%vturpn.dll 88,576 08cfd69d98151b107b2c8ce6b485c896 3
5 %TEMP%gvzleg5r.exe 157,184 81b6ec76b0b313b04d0c576333ab3e4a 3
6 %WINDIR%\system32\sidebar32.exe 113,792 c358e170f8c6525dbbc3bcf164eb9d40 2
7 %WINDIR%\system32\mmcprf.dll 488,960 bdaa0397521746b794f62b6e7804c7f3 2
8 %WINDIR%\syswow64\keyisok.dll\keyisok.dll 425,984 84290b2a84dbfd33c0bc59c0720cc2dc 2
9 %ALLUSERSPROFILE%\nasijuye\nasijuye.dll 96,256 0eee3356df22a461239638218eaf45c7 1
10 %WINDIR%\TEMP\de6z7w05.exe 122,880 b83115b560bfd3f10859df478160a1cf 1
11 rqRKcdCV.dll 34,304 843a883283bf9ef3829a7776808bf8ed 0
12 labazemi.dll 96,768 c9ef98d8a91e3cba189775d7d4e45cf9 0
13 reripaga.dll 101,376 5d20b73804f1058e00ead0b4736dfbc0 0
14 gowevoni.dll 101,376 d7cb265c3674efe6d56bb4e5faac2540 0
15 volosejo.dll 92,160 1060c22d456163797a900485d894f58a 0
16 kefuyave.dll 92,160 dfb874681809b6ce813de6b0fab5bbf4 0
17 yonevufu.dll 92,160 240b75474cc09f386560672852cd955b 0
18 ravufuge.dll 96,256 cdf314cb7ca362f27ac321f39f42084e 0
19 wewemeve.dll 96,256 8b27c98d1a7036e9f0c3a999457db70f 0
20 nijifafe.dll 94,720 15589a0a563571aca9657ced0c2ccc2c 0
21 __c00DCA15.dat 31,232 839848b625693a93bae58ec10115c5e9 0
22 tareyezu.dll 89,088 685dcb26808ca7599362637dea083681 0
23 zapohugu.dll 94,720 ffed17940705d4d696347bd0dae8be75 0
24 ytsjuugo.dll 82,432 532a3b3a5eb5ac806f13164ebcbf17c0 0
25 file.dll 98,304 7623ec28607effef2dc1f043b3f5dd5d 0
26 file.exe 149,918 9df2ddb2631ff5439c34f80ace40cd29 0
More files

Registry Details

Vundo creates the following registry entry or registry entries:
Regexp file mask
%SystemRoot%\System32\opn[RANDOM CHARACTERS].dll
Run keys

Related Posts

Site Disclaimer is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

One Comment

  • Body Building Workouts:

    Valuable info. Fortunate me I found your website accidentally, and I'm surprised why this coincidence didn't came about earlier! I bookmarked it.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.