It seems that one of the adware authors has been taking some lessons from the old school virus writers on how make it extra hard to get rid of their crap and to ensure that their adware always gets run on system startup. 

How you may ask, well it seems the Virtumonde a.k.a Vundo adware has been retrofitted by it’s authors with a new mechanism for infecting a victim. Virtumonde is a notoriously tricky piece of adware that can be very difficult to remove from an infected system. This new infection method is well just going to make it little harder to clean, luckily the ‘new method’ is an old one really, just something that hasn’t really been used by adware authors before.

Basically the new Virtumonde has code to allow it to infect files in much the same way as a classic prepending virus. It searches the system for files that are loaded on system start up and then infects them by prepending the dropper code to the file. Thus when the file is run, it will drop the original file into the %TEMP% directory and the Virtumonde code into the system directory and execute both.

Virtumonde uses an infection marker to attempt to prevent reinfection, however it has been noted that this isn’t 100% effective, we have had several instances of reinfected files pass through the Virus.Org Malware Scanner over the last couple of days.

All in all nothing really new, just an old tried and tested technique that is now being employed by adware authors. Luckily the AV companies understand this infection vector extremely well so their products are very adept at safely removing the malware code from infected files. 

Add this page to your favorite Social Bookmarking websites