Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


I Captured & Submitted An Evil Bho Dll

  • Please log in to reply
1 reply to this topic

#1 J. Merrill

J. Merrill

  • Members
  • 2 posts
  • Local time:11:38 AM

Posted 16 January 2007 - 06:26 PM

I posted (to the "submit malware" page) a .zip file containing a .DLL that I feel certain is not a good boy. It and another similar BHO were both in a co-worker's system32 directory; at the point that we made copies of them and were able to remove them, Norton Anti-Virus didn't recognize either as bad. They both loaded even when in "safe mode" as they were under WinLogon\Notify in the registry, and were properly installed COM objects. They both had the fun behavior that if you removed them from the registry, they added themselves back.

When I went to copy them to a USB stick a few hours later, NAV popped up -- the latest signature updates recognized one of the two and deleted it summarily (without asking or quarantining it). So I don't have one of the two DLLs. However, I do have the output of Process Explorer's "strings in memory" analysis of both DLLs.

My attempts to send this to Symantec so far have been thwarted by the fact that all they tell me is how to submit a file that's been identified as bad by NAV. It doesn't have any kind of upload-file mechanism.

If you folks find anything out about this bad guy, I'd appreciate knowing about it.

BC AdBot (Login to Remove)


#2 Papakid


    Guru at being a Newbie

  • Malware Response Team
  • 6,663 posts
  • Gender:Male
  • Local time:10:38 AM

Posted 16 January 2007 - 09:17 PM

Hi J.

I'm assuming you submitted vtzip.zip. That file is related to the Vundo family of Trojans and is actually quite common. I know it may be new to you but this post has been moved from the Breaking Virus & Security News forum as that is mostly for news events of a wider scope such as new outbreaks and trends.

The behavior you describe has also been happening for almost three years now--hooking into Windows by the Winlogon notify key and other related infections use that technique. Most antivirus and other malware scanners/cleaners aren't designed to deal with it. Manual removal is rather involved, so some special removal tools have been developed to make removal easier. More info can be found here: How To Remove Winfixer / Virtumonde / Msevents / Trojan.vundo.b

I've Googled this file name and got several hits, mostly from the latter part of 2005. So it's not even a new version or variant. We thank you for the submission, but I hope that you understand that it is mostly for new and unknown infections that may need new removal methods. Submittals are usually requested in conjunction with malware removal sessions using HijackThis as a starting point for analyses, both here and in other forums. As you might imagine, if we rook submittals for every suspicious file, we would soon be inundated, so it helps us a lot if some research is done on them first.

Also, from your introduction post, you appear to have searched for a place to submit the file when Norton wouldn't take it. Some of our analysts do submit to vendors but in general we don't work for them. I'm a bit surprised that Syamantec makes it so hard for end users to submit a file, with others it is very easy, so you may want to consider switching to something else. For example, I reported a false positive to Kaspersky thru their interface and got a notice that it was removed from the definitions in short order.

You can also kill two birds with one stone by submitting files to Jotti's and Virustotal

They will usually tell you if the file is bad or not, and the file is submitted to the AV vendors listed so they can update their database. I submitted the file you submitted at jotti's and got these results:

Scan taken on 17 Jan 2007 00:43:52 (GMT)

Found HEUR/Malware

Found Adware.Look2me.Jb

Found nothing

AVG Antivirus
Found Lop.AS

Found nothing

Found nothing

Found Trojan.Virtumod

F-Prot Antivirus
Found nothing

F-Secure Anti-Virus
Found not-a-virus:AdWare.Win32.Virtumonde.fp (4, 1, 400)

Found nothing

Kaspersky Anti-Virus
Found not-a-virus:AdWare.Win32.Virtumonde.fp

Found nothing

Norman Virus Control
Found nothing

Found Adware.Vundo.Gen!Pac2

Found Adware.Vundo.B

Now this file may still have changed, altho the name is old so we will look into it. So thanks again and I hope this answered your question. I would still strongly recommend that your co-worker submit a HijackThis log, even if the removal tool(s) are used. To do so follow the instructions in this thread and post the log in the HJT forum, not here, as that will ensure you get advice only from those trained in the malware removal area.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users