Virtumonde, Registry Keys, User Accounts, Microsoft

S

Scott

Can you identify the originator of Virtumonde by the registry keys it
leaves?

Would a user account prevent Virtumonde from installing? Would I get a
notice that administrator priviliges are needed?

Does Virtumonde use the Visual Basic language of Office, or something else?

Will Microsoft's Malicious Software Removal Tool completely scan my system
independent of whether it's run from an admin or user account?

Can I confidently assume my XP Home desktop system is clean since Ad Aware
has not found anything and the August Malicious Software Removal Tool ran
once?

I have a notebook that connects to the desktop through a router. Can this
malware spread to my notebook through the router? I exchange files using the
Shared Documents folder.

Details.

On Aug 5, Ad Aware found a file "yacscom.dll" it declared to be Virtumonde.

Yahoo Anti Spy found four registry keys it called hijackers.

One is ISTbar from a company called Internet Search Technologies:

hkey_local_machine \software\microsoft\windows\currentversion\internet
settings\zonemap\domains\contentmatch.net

Three were from Mirar. They had the exact form above but with different
domain names at the end: mirarseach.com, netnucleus.com, getmirar.com

If I investigate these domains, will I get infected?
 
D

David H. Lipman

From: "Scott" <scott@adelphia.net>

Hi Scott:

Replies are inline...

| Can you identify the originator of Virtumonde by the registry keys it
| leaves?


No. They may only identify they are realted to the malware itself/


| Would a user account prevent Virtumonde from installing? Would I get a
| notice that administrator priviliges are needed?


Not if the site that hosts the installer uses exploit code that causes a buffer overflow
condition and a resultant elevation of privileges.


| Does Virtumonde use the Visual Basic language of Office, or something else?


I haven't heard of it using VB.


| Will Microsoft's Malicious Software Removal Tool completely scan my system
| independent of whether it's run from an admin or user account?


Yes.


| Can I confidently assume my XP Home desktop system is clean since Ad Aware
| has not found anything and the August Malicious Software Removal Tool ran
| once?


No. There is no 100% assurance. Ad-aware isn't 100% on all variants. You would have to
also scan with other utilities such a the MalwareBytes Anti-Malware to increase your
chaces but you won't reach 100% if it is a new and unknown variant.


| I have a notebook that connects to the desktop through a router. Can this
| malware spread to my notebook through the router? I exchange files using the
| Shared Documents folder.

No. It is NOT a virus and does not self replicate. The vundo form and the Virtumond
adware assistance to get installed such as Social Engineering and vulnerability
exploitation.

| Details.

| On Aug 5, Ad Aware found a file "yacscom.dll" it declared to be Virtumonde.

|
| Yahoo Anti Spy found four registry keys it called hijackers.

| One is ISTbar from a company called Internet Search Technologies:

| HKLM\software\microsoft\windows\currentversion\internet
settings\zonemap\domains\contentmatch.net

| Three were from Mirar. They had the exact
| form above but with different
| domain names at the end: mirarseach.com, netnucleus.com,
| getmirar.com

| If I investigate these domains, will I get infected?


Possibly !




--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
S

Scott

Thanks for the answers.

Scott
Los Angeles

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:%237kGdSxBJHA.2292@TK2MSFTNGP02.phx.gbl...
> From: "Scott" <scott@adelphia.net>
>
> Hi Scott:
>
> Replies are inline...
>
> | Can you identify the originator of Virtumonde by the registry keys it
> | leaves?
>
>
> No. They may only identify they are realted to the malware itself/
>
>
> | Would a user account prevent Virtumonde from installing? Would I get a
> | notice that administrator priviliges are needed?
>
>
> Not if the site that hosts the installer uses exploit code that causes a
> buffer overflow
> condition and a resultant elevation of privileges.
>
>
> | Does Virtumonde use the Visual Basic language of Office, or something
> else?
>
>
> I haven't heard of it using VB.
>
>
> | Will Microsoft's Malicious Software Removal Tool completely scan my
> system
> | independent of whether it's run from an admin or user account?
>
>
> Yes.
>
>
> | Can I confidently assume my XP Home desktop system is clean since Ad
> Aware
> | has not found anything and the August Malicious Software Removal Tool
> ran
> | once?
>
>
> No. There is no 100% assurance. Ad-aware isn't 100% on all variants.
> You would have to
> also scan with other utilities such a the MalwareBytes Anti-Malware to
> increase your
> chaces but you won't reach 100% if it is a new and unknown variant.
>
>
> | I have a notebook that connects to the desktop through a router. Can
> this
> | malware spread to my notebook through the router? I exchange files using
> the
> | Shared Documents folder.
>
> No. It is NOT a virus and does not self replicate. The vundo form and
> the Virtumond
> adware assistance to get installed such as Social Engineering and
> vulnerability
> exploitation.
>
> | Details.
>
> | On Aug 5, Ad Aware found a file "yacscom.dll" it declared to be
> Virtumonde.
>
> |
> | Yahoo Anti Spy found four registry keys it called hijackers.
>
> | One is ISTbar from a company called Internet Search Technologies:
>
> | HKLM\software\microsoft\windows\currentversion\internet
> settings\zonemap\domains\contentmatch.net
>
> | Three were from Mirar. They had the exact
> | form above but with different
> | domain names at the end: mirarseach.com, netnucleus.com,
> | getmirar.com
>
> | If I investigate these domains, will I get infected?
>
>
> Possibly !
>
>
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
 
You must log in or register to reply here.

Similar threads

A
remaping of keys through widnows API or registry
Replies
0
Views
48
Ayush P Somayagi
A
A
Strange accounts found in registry
Replies
0
Views
250
Alyssa479
A
Server Man
An in-depth look at the Registry settings that control Microsoft DPM 2012
Replies
0
Views
2K
Server Man
Server Man
S
Virtumonde, Registry Keys, User Accounts, Microsoft
Replies
3
Views
270
David H. Lipman
D
S
XP: Registry Keys, Malware
Replies
11
Views
210
Gary S. Terhune
G
Back
Top Bottom