Virtumonde - Spyware/Trojan/Nasty

10-23-07, 10:30 PM
Anyone else coping with the newest version of virtumonde? It goes by a lot of names and has really been around since 04, but this outbreak is fairly severe (at least in my area). Detection rates are hit or miss, and removal is a HUGE chore. It does porn popups, system-notification like messages, changes your background....

I've heard that its spreading through IM links and ... MySpace? We haven't narrowed it down, but its spreading quickly nonetheless.

We've managed to remove it from some machines, but it requires significant process exploring, registry entry, and deletion of files from the recovery console. Safe mode slows it down a bit, but it still gets it hooks in and locks some files. We can't wipe and reload student machines, but I've already wiped a few faculty/staff machines.

Some programs that are suggested to remove it actually render your system useless. It's likely because the bug creates a ton of random files in System32 that wreak havoc. We're running SAV, and of course it is utter garbage, but I've been hearing that even the more robust AV clients are getting their asses kicked. Spybot at least detects it (SAV does too now, with updates), but nothing is doing a good job of removing it. It requires all manual work and a ton of it to get rid of it. And even then it seems like a crap shoot since it hides all over.

Anyone else battling this pile of crap? Any suggestions?

10-24-07, 02:49 AM
I cleaned a few versions of this off some guys Laptop a couple of months ago. Took multiple passes of multiple cleaning utilities to get rid of, and I had to do that while the damn thing was constantly opening IE windows to the point where the system would be overloaded with 100% CPU usage making all other tasks slow to a crawl, and on top of that the Laptop is ancient and barely working so it overheats and shuts down often.

Twas not fun.