Endpoint Protection

 View Only
Expand all | Collapse all

Trojan.Vundo.H

  • 1.  Trojan.Vundo.H

    Posted Mar 12, 2009 11:01 AM

    I have had 3 Computers in the last week that have been infected with Vundo.H.  SEP 11 MR4 finds it but cannot clean it automatically.  It comes back after each reboot.  It does not appear to be a new virus and Symantec has a cleaning tool available but I don't understand why I should have to go through a manual process to clean this.

     

    I am getting pressure from my management as to why Symantec isn't cleaning this automatically.  We have paid a lot for SEP why isn't it automatically cleaning this up?  We are discussing running a third party anti-malware product in addition to SEP but this should not be necessary if SEP was working as advertised.

     



  • 2.  RE: Trojan.Vundo.H

    Posted Mar 12, 2009 12:29 PM

    Wow, it's almost as if I wrote that post.  I have also had 3 computers infected with the Trojan.Vundo (by way of a "Hallmark" card).  In each case, SEP threw up a notice that it detected the trojan, but failed to actually do anything about it.  Scans do catch the bugger, but they ultimately reappear on reboot.  I know about Malwarebytes; it's a tremendous tool.  I've been using it and have pretty much gotten rid of the Vundo trojans, but I'm equally as curious as JSienk.  Why did this get past our virus protection in the first place?  I know there are different strains of it and detection is imperfect, but in this case, it detected it immediately.



  • 3.  RE: Trojan.Vundo.H

    Posted Mar 12, 2009 12:53 PM

    I had to use 4?5? products to get rid of that thing at home, and I still think it permanently messed up some part of my internet connection in the registry (some products still refuse to update). Symantec (AV) did not detect it at all.

    I think I ended up using Clamwin, Avira Antivirus, Superantispyware, and Malwarebyte's Anti-Malware. This was about 4 or 5 months ago, so perhaps SEP has improved on its vundo-busting capability since then... but I wouldn't count on it.

    Really nasty.

     

     



  • 4.  RE: Trojan.Vundo.H

    Posted Mar 12, 2009 01:04 PM

    More praise from me for MalwareBytes anti-malware. It's a wicked tool. On my home machine I run that plus AvG free but AvG seems to be just a pretty icon. lol. Saying that I don't tend to get any virus/trojans at home. Any dodgy software (untested opensource/freeware etc) generally gets run/tested in a VM box (VirtualBox) so can revert the snapshot back straight away.

    Anyway I was trying to get at the fact that the FREE malware bytes software does more good than so many paid-for tools, plus it's pretty damn good on the resources and space it demands. Plus the reporting is bloody handy.

    Biggest problem I keep seeing on pupil/staff laptops where I work is MyWebSearch. That thing is a pain in the back-end. But then how can you educate people that don't want to know not to click "I accept" or "Yes I Want To Install That Toolbar" to everything.



  • 5.  RE: Trojan.Vundo.H

    Posted Mar 12, 2009 01:56 PM

    MalwareBytes is how we have been cleaning this up too and in one case we had to re-image the machine. 

     

    Again, My question is why can't SEP clean this up without us having to do manual virus fighting.  Perhaps Symantec should buy MalwareBytes Corp. 



  • 6.  RE: Trojan.Vundo.H

    Posted Mar 12, 2009 02:10 PM

    If you haven't stumbled across this thread already https://www-secure.symantec.com/connect/forums/xp-antivirus-2008, you might find it interesting.  Among the respondents are Malwarebytes' Anti-Malware Lead Researcher Bruce Harrison (handle:nosirrah).  They discuss some of the reasons why neither of these programs can handle the wide spectrum of threats on their own.  Unfortunately, I'm not really convinced that SEP fundmentally can't be expected to clean up things like XP Antivirus 2008 and Vundo.  If 3(!) developers can write and maintain MBAM, I just don't see a reason that Symantec can't come up with something similar.



  • 7.  RE: Trojan.Vundo.H

    Posted Mar 12, 2009 03:32 PM

    During my test rollout of SEP we had a user come to us infected with AV360, or Vundo.  It was a true test to see if Endpoint would clean it, as I was hoping that it would and that we wouldn't have to purchase even more software to clean infections.  I was disappointed to find the SEP did not clean it.  It got some of the files, but the main thing was it didn't stop the process from running.  I finished the cleanup with Malwarebytes. 



  • 8.  RE: Trojan.Vundo.H

    Posted Mar 13, 2009 05:16 AM

    Thanks Simc-pk. I haven't read that before. Was quite interesting. The author got a bit of a bashing for pointing out the facts though eh?!



  • 9.  RE: Trojan.Vundo.H

    Posted Mar 14, 2009 05:20 AM

    I also picked this one up on my computer and had to remove it with Malwarebytes. I use NOD32 and actually found this forum while looking for an alternative since NOD32 failed to even detect the trojan. I guess Symantec has a similar problem.

    It's funny that we all seem to rely on Malwarebytes to take care of it. 



  • 10.  RE: Trojan.Vundo.H

    Posted Mar 16, 2009 06:12 AM

    Has anyone tried Symantecs Trojan.Vundo removal tool?

    http://www.symantec.com/security_response/writeup.jsp?docid=2004-112210-3747-99

    I think this thread is a little bit unfair to Symantec. Malwarebytes is a tool for removal of already infected machines. It is not an antivirus security software.

    There is no Antivirus software today (that I know of) that has removal tools included by default.

    Perhaps I am wrong?



  • 11.  RE: Trojan.Vundo.H

    Posted Mar 16, 2009 08:44 AM

    Max... you are correct. If you look at the technical aspects of that bug, there are reasons you can't simply clean it in normal mode Windoze. It's more to do with Windoze than anything else.

    Even with malwarebytes software, I had to MANUALLY go into safe mode and do some cleaning ON MY OWN. Malwarebytes told me what was what and where, and did a "decent job" but it was up to me to remove hidden folders and files. Safe mode is the only way to kill it properly. I spent a FULL weekend on a notebook and then recently got a rootkit cleaned off a desktop. Similar things - it took safe mode and my expertise (been at this since the late 80's) to clean it.

    I do wish the Symantec products at least EXPLAINED the reason why you can't always simply remove these critters in normal mode while the user twiddles his/her thumbs. Blame Microsoft if you want to blame anyone.

    Several posters here hit the nail - many of these products are CLEAN UP AFTER THE DAMAGE IS DONE products, they won't keep the critter out to begin with.

    AvG free - good stuff, but they come right out and tell you it's not a solve-all tool either. They are honest about it.

    The BEST solution - KEEP OUT OF THOSE PLACES where these bugs reside! Don't open email attachments! Computer users are their own worst foe, plain and simple.  Want to solve the issue of those bugs? Practice safe computing, stay away from FREE STUFF (for you CHEAPSKATES out there that want something for nothing or feel "owed") stay away from "adult" sites (come on folks!) and don't open email you were not expecting, especially ATTACHMENTS. Too afraid of missing out on something? OR missing something that may be FREE?

    The sources for these infections - they way they get in is HIGHLY PUBLICISED.............. draw your own conclusions as to what I mean by that.

    NOW, there are many innocent that get these infections anyway - that's a fact! Hacked web sites, shoot, we even had to threaten a local TV station with blocking their web site from access by state agencies due to their web site contractor adding some nifty ads on their own, ads that placed spyware on state computers. I told the station general manager - clean up your site or I'll make sure no state computer can access it from now on. Humble apologies and assurances, and the issue was that the agency they hired from out east to build and maintain their site was a bit heavy-handed in the advertising. Within hours their site was changed!



  • 12.  RE: Trojan.Vundo.H

    Posted Mar 16, 2009 09:31 AM

    The thing is if SEP can detect the trojan it should be able to prevent it from installing !

     

    We can understand that some trojans require restarts to remove completely but we're paying for protection and while unknowns will never be protected against completely, using the Pro-Active Threat Protection & BloodHound Heuristics aswell as SEP's AV and AntiSpyware components , threats that SEP knows about and detects AFTER they've installed themselves shouldn't be allowed to install in the first place.

     

    /rant



  • 13.  RE: Trojan.Vundo.H

    Posted Mar 16, 2009 09:41 AM

    I have bloodhound set to the max here and antivirus2009 still ended up installed on a user computer. So I know where that's coming from, BUT, it was a new, brand new, variant. It was 2 hours after I submitted the files that the next defs actually detected it. Too late, I'd already  manually removed it. Now why didn't bloodhound detect it? Possiblt because it was an app that installed and was more adware and pop-ups and did little file-manipulation as far as destroying Windoze files and didn't "infect" in the methods most folks think of. But Symantec is very familiar with these "new methods" so should still block or at least WARN - do you REALLY want to let this thing install??

    MS's boot-up protection and checks do just that.

    These users are no ordinary computer users, they are non-computer users and have the "if it's there, I should thus click on it!" attitude. And the "it's in my inbox, thus it's for me and important that I open it" attitude. Doesn't matter what we say or do.

    (in other words, they invite stuff in and are happy to do so lest they miss out on something)



  • 14.  RE: Trojan.Vundo.H

    Posted Mar 16, 2009 10:35 AM

    It seems that these kinds of trojans are able to hide themselves from SEP until they already caused some damage.

    Trojans do not self replicate themselves like viruses they depend on user interaction to spread themselves. Either through e-mail or web browsing urging the user to download or click ok on popup messages to infect the pc.

    I am curious why SEP is not blocking this by default. I mean in what way does the trojan work to "fool" SEP.

    I am sure that with a correct setting/configuration of SEP it should be possible to block also trojan.vundo.

    For instance with Intrusion Prevention Policy enabled it looks like trojan.vundo is blocked by default. Anyone who got infected that had this policy enabled?

    imagebrowser image

     

     



  • 15.  RE: Trojan.Vundo.H

    Posted Mar 17, 2009 06:21 AM

     

    Hi,
     
    We had some client that was infected with a variant of Trojan.vondu and the SAV 10 and SEP 11 detected this as packed.generic.217 . We saw that the SAV 10 clients was actually stopped the Trojan but SEP 11 detected the Trojan but couldn’t stop the infection. The Trojan then disable the SEP11 (tamper protection is off). Since we thought it was a Trojan we reinstalled the infected clients. But we also notice the infected clients had a capability to send out emails. After updating Symantec with this information they change the detection from Trojan.Vundo to W32.Ackantta.B@mm. The technical details about Ackantta is not what we saw but the payload is the same.
    Still the question is how could SAV 10 stop the infection but SEP 11 was affected and disabled by the worm? No other technology detect this such as PTP or the IPS part.
     
    This happened to more the 10 computers.
    /Stickan


  • 16.  RE: Trojan.Vundo.H

    Posted May 26, 2009 12:03 AM
    My husband's comp WAS set to have it blocked, and somehow picked it up anyway; apparently from an unwanted and source-unknown copy of that PITA "mywebsearch" thing.  Would love to know why the program I paid for didn't block it, OR take it off.  Used MalwareBytes for that, and maybe (hoping) it's gone now.


  • 17.  RE: Trojan.Vundo.H

    Posted May 28, 2009 01:03 PM
    Most of the time I've seen Vundo was in the form of a "Pop Up" window with FAKE frames, buttons and scroll bars, 

    imagebrowser image 

    It automatically downloads the exe when you click or sometimes even hover. If you set your browser settings up using these recommendations the web version of Vundo won't be an issue.

    Lockdown IE7 or 8 Enable or Disable the following
    1. Enable -Empty Temporary Internet Files folder
    when browser is closed
    2. Disable -Allow installation of desktop items
    3. Disable -Open windows without address or status bars
    4. Disable -Launching applications and files in an IFRAME
    5. Disable - Allow active scripting
    6. Disable - Allow file downloads
    7. Restrict File size limits for Internet zone to 32kb
    8. Restrict File Download for Internet Explorer Processes

    And of course don't run iexplore.exe as your own account.


  • 18.  RE: Trojan.Vundo.H

    Posted May 29, 2009 07:43 AM
    Those are good in some cases, but we've found that it so restricts the browser as to be almost unusable in business environment - there are web-based apps that just won't work if you disallow file downloads (reports don't work in our own in-house apps because they are created and downloaded and printed on the fly, for example) and the file size restriction means that some web sites won't appear properly.
    We've also found disallowing active scripting screws up some updating and other processes that are needed.
    All I can advise is try that list, but you MAY have to back off some of those settings if you then find that things you require suddenly don't work.
    We had to............


  • 19.  RE: Trojan.Vundo.H

    Posted May 29, 2009 07:18 PM
    Thats why you have two Internet Explorer shortcuts one for business and one for personal use. The personal shortcut is RUNAS a restricted user with limited capabilities. The business one is less secure but allows people to get their *work* done, basically default install of IE7.


  • 20.  RE: Trojan.Vundo.H

    Posted Dec 21, 2009 07:10 AM
    Wow, I'm actually removing Vundo.H from my computer now with Malwarebytes'! i'm on my laptop, hoping that it will work...oh please let it work...all those redirects...


  • 21.  RE: Trojan.Vundo.H

    Posted Feb 05, 2010 07:39 PM
    I totally agree with everyone who has completely bashed SEP for not even detecting it. I started getting hidden ads...no popups. Their were just voices talking and I was getting hidden iexplore.exe processes.I did a full scan and it found some nasties but I still was getting the hidden ads. So I then realized that I had malwarebytes installed because we use it quite extensively where I work (school system) to remove alot of things that our current av (kaspersky) can't stop.I ran it and within 10 seconds it had already detected vundo.h I had kaspersky installed on my home pc as well and it didn't catch it either so symantec isn't alone in the aspect that it can't stop everything. I also understand the inability to block everything that gets varianated or comes out and I applaud symantec for coming out with umpteen thousand new entries a week...I just wish those defintions were some that really mattered and have been out there for some time like Vundo..