Virtumonde
This guide is under construction and thus, the info is very quick and not-at-all-flashy.

Threat: High

Description
Virtumonde is a root kit trojan. By definition it installs itself into your computer and changes certain system files to always re-enable itself no matter what you do. One of those files is the system beep (audio file). Among other things, it burries itself inside the system restore, multiple edits in the system registry, and random files in the /windows/system32 folder.

How Do I Know If I Have It?
First, you’ll probably notice your system running a lot more sluggish than it normally would be. This is because of the multiple edits Virtumonde is making to your computer, creating new and infected files, pushing pop-ups to your computer, and grabbing every little bit of personal information it possibly can from you to ‘send home’.  Also, you’ll probably notice a large number of pop-ups appear on your computer even when you’re not browsing the internet.

Finally, and most noticable way, is to see the files it’s creating. Go to c\windows\system32 and change the view to details. See all the fies and folders listed on the left, along with columns that probably say date modified,  size, etc., either right-click and tell the folder to sort by date modified, or click the date modified column heading to sort them. This puts all the files in order by the date they were modified. Scroll to end of the list (top or bottom depending on if you’re sorting by newest first or last). You should see some files with the current date on them and they will be named something like “AKkklzklika.dll” or “ksqqidmks.dll”….the point is that you’ll see a .dll file with random characters in front of it…that’s an infected file.

So I Have An Infected File…Can’t I Just Delete It?
No. Here’s why. It burries itself into your system and replicates itself. One file that replicates it is the system beep…yeah, that audio file to go “beep!” it replicates the trojan. Also, you can’t delete them  because they get loaded as soon as the windows kernel is called into action. If you tried to delete them, they’d just replicate….besides, if you delete one it just errors out that it’s already in use and windows will not let you delete it.

So I Cannot Delete It…Now What?
Well, actually, the best way to get rid of it is to actually delete it. Yes, I know above I said you cannot, but there is a way. You physically have to crash explorer.exe (which runs your windows) and then try to get to the files and delete them. See, once you crash windows by killing the explorer.exe process there’s a short amount of time that you have to delete one file before it gets loaded into memory again.

So…are you ready?…..here we go…….

Tools Needed
– CCleaner (free – http://www.ccleaner.com) be sure to install this WITHOUT the toolbar it asks you to install (the install screen w/ all of the checkboxes)
– UnLocker (free – http://ccollomb.free.fr/unlocker) this little tool allows you to unlock a file (which kills the process using it) and delete it
– SDFix (free) this is a little program that will run in safe mode, change settings back to normal, reboot, then run again in normal mode

SDFix Information on how to downloand and help if it won’t run http://www.bleepingcomputer.com/forums/topic131299.html

Step 1 – Tools Install
Download and install each of those programs.  CCleaner is a straight up installer. Make sure you DO NOT install the toolbar. During the install it will pull up a screen with a lot of checkmarks on it. I leae everything checked EXCEPT the bottom item that says “Do you want to install the xxx Toolbar (ask i think..may be yahoo toolbar)” UNCHECK THAT OPTION and continue to install. UnLocker is another straight up installer. You shouldn’t have any problems with that. SDFix  may be a little bit more tricky. Use the link above and find where it says “SDFix Download Link” and click that link. On the page that pops up, on the right hand side of the screen, is a link to download SDFix. Click it. SDFix.exe will want to download…go ahead and RUN or OPEN it. When it runs/opens, may get a screen asking where to install SDFix to and in the destination box will probably be “C:\” That’s ok…leave it like that and hit the install button. It will extract files into a new folder on your main hard drive “C:\SDFix”.

Step 2 – Kill System Restore
Note: Killing System Restore will remove any saved points you currently have.
You must kill system restore to make sure that the root kit has nowhere else to hide. If you leave it on, Virtumonde will bury itself into the restore and will just re-activate itself once you restart your computer.

To kill system restore, click on start, right-click on “My Computer” and choose properties. Depening on your system configuration, My Computer may be an icon on your desktop. If so, right-click the icon there and choose properties. The system properties will open up and you will see a tab called “Restore” or “System Restore”. Click on that tab and you will see a check mark that says something like “Turn Off System Restore”…go ahead and check that box and agree to what it’s going to do.

Step 3 – Reboot to Safe Mode
Turn off your computer. Once power is fully off, turn it back on and keep pressing F8 key. You want to get to a screen that asks you if you want to boot into safe mode. Choose “Safe Mode” – not the one with command or network. Your computer will look funny but will boot up to the desktop with “safe mode” probably printed in each corner. Windows may pop up an alert message asking you if you’re sure you want to continue in safe mode…yes, you are sure – tell it to continue in safe mode.

Step 4 – Kill Those Processes
Once booted up, go to My Computer, C:, Windows, System32.
Change view mode to details
Sort by date modified
Scroll to the end of the list so that you’re looking at the newest added files
Find a file that’s just a bunch of letters (lowercase or uppercase, it doesn’t matter) but it will be “lots of letters” (dot) dll
Right-click on it and choose “Unlock” – unlock window will open up showing you all the processes that is using that file
Select all of the processes in the window, on the bottom left of the window is what to do (Select DELETE), and on the right, choose KILL ALL Processes

Your computer will freak out and crash. This is because you’ve killed explorer.exe, which controls windows, and since it crashed, it should have deleted the .dll file that you had selected.

Wait a couple of minutes and windows should recover itself. Repeat the process again for the next odd lettered (dot) dll file. Continue doing this until they are all deleted.

When all are deleted, go to step 5.

NOTE: if you have trouble with this, just keep trying, possibly with different options, but the operation is roughly the same. Use unlocker to kill the process and when it’s killed unlocker should automatically delete the locked file.

NOTE: if you have trouble deleting these files, you can try to delete them in normal mode of windows (restart w/o pressing f8). if you go this route make sure you empty your recycle bin as soon as each one is deleted using UnLocker.  Be careful though, b/c as soon as you reboot to safe mode to run ccleaner and sdfix these .dll files could get reloaded and you’ll have to try to delete them in safe mode anyway.

Step 5 – Clean the System
Now that all of those bad files are deleted, lets clean out the system using CCleaner.
If there is no desktop icon, try the start menu…if it is not in the start menu, then you may have to manually load CCleaner by:
“CCleaner Manual Load – hit ctl+shift+esc to bring up the task manager OR right click on the task bar and select task manager OR ctl+alt+delete and select to load the task manager. Once task manager is loaded, on the first tab (applications I believe) press the button to load a new application. Navigate to c\program files\ccleaner and select the ccleaner.exe file.”

CCleaner should open up. There’s 2 buttons you need to use. They are on the left, at the top. The top button will allow you to scan your computer to clean out temp files, history, etc. Click it and it’s options show up in the right. At the bottom is an Analyze button. Click it to analyze your computer, and when finished, click the button to the right to clean everything. Once finished, click the 2nd botton from the top in the left hand side buttons. This is the registry cleaner. Hit the scan button and when finished, fix all items. Backup the registry if you want, but I never do.

When finished, close CCleaner.

Step 6 – Run SDFix
Once all files are deleted, CCleaner has cleaned out all files, and your registry, open my computer and go to c\sdfix
Look for the file called “RunThis.bat” and double-click it.
A black window will open up and ask you to YES for run or NO to exit…YES, You Want To Run!!!!!!
SDFix will kill all open processes, close all windows, then begin to run.
It will do everything it needs to do automatically and will roughly take anywhere from 20 mins to an hour.
DO NOT TOUCH YOUR COMPUTER WHILE IT IS RUNNING…except to move the mouse if the screen saver comes on.
When SDFix is finished, it will tell you it needs to reboot your computer…do so.
When your computer reboots, SDFix will automatically run again
When finished, it will give you a log file. Just close it.

So…that’s pretty much all it does.
Go to c\windows\system32
view by details and sort by date modified
do you see any random named files (dot) dll ???
if so, repeat the process b/c virtumonde is still there.

If they’re all gone, congrats. Virtumonde is now gone form your computer.

Print Friendly