The following is a list of our top five most commonly viewed encyclopedia pages last month:

  1. TrojanSpy:Win32/Bancos.gen!A
  2. Win32/Vundo
  3. Trojan:Win32/Vundo.gen!H
  4. Trojan:Win32/Vundo.gen!P
  5. Win32/Alcan

It looks like our readers are really interested in Win32/Vundo, also known as Win32/Virtumonde. Of the 5 most popular malware encyclopedia entries last month, 3 of them are Win32/Vundo related (2, 3, and 4). We have lots of details about it in our encyclopedia, but perhaps we should review some of the key points pertaining to this annoying multiple-component family of programs, which ultimately displays ads for potentially unwanted security software.

The reason we have so many different names and detections for this threat is because it contains several optional components. One such component is a “trojan dropper” or “trojan downloader”. This is the component responsible for initially acquiring, installing and executing the main application code that manages displaying pop-ups to the user. These components typically will arrive either via an exploit delivered over the web and propagated through spam emails, or it will arrive bundled with other "potentially unwanted software" which end-users may have been tricked into installing.

Once running, it typically calls home to acquire advertising material and software updates. As part of this communication, we have observed that it sends information including e-mail accounts details, internet account details, OS version details (including the name of the person that registered the computer), network adapter information (including the MAC address), keyboard layout, crash logs, and a variety of other details about the user on the machine which it has installed itself on.

It also has the ability to auto-update itself, which is another way of saying the people behind it are able to push out any bits they like and have them silently installed on all machines that have Win32/Vundo installed. Further still, it may terminate other legitimate security software in order to protect itself from detection or removal.

As my colleague Marian alluded to in a previous post: the end-result is that more ads will cause users to pay real money for fake software. The ads that Win32/Vundo displays are often manipulative and misleading- for example artificially warning users that viruses were found on their systems then instructing them to pay in order to remove the threats. Pretty nasty stuff.

For more information, take a look at our Win32/Vundo family analysis.

In case you're wondering about our #1 most commonly viewed encyclopedia write-up Win32/Bancos: It employs a far simpler scheme to steal your money: it is a password stealer that will collect your banking passwords and email them back to its controller. This threat is so prevalent that we included detection and removal for it in our widely deployed MSRT tool as early as September of 2006!

Be careful out there…
Tareq Saade