Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Adware.VirtuMonde

Adware.VirtuMonde

Updated:
June 15, 2006
Systems Affected:
Windows

Behavior

Adware.VirtuMonde is an adware program that downloads and displays popup advertisements.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version June 30, 2017 revision 020
  • Initial Daily Certified version December 10, 2003 revision 007
  • Latest Daily Certified version July 01, 2017 revision 002
  • Initial Weekly Certified release date December 10, 2003
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Adware.VirtuMonde is an adware program that downloads and displays popup advertisements.

When the program runs, it adds one of the following registry entries so that the adware runs whenever Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"WindowsUpd" = "[ADWARE FILENAME]"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"SysUpd" = "[ADWARE FILENAME]"

The program creates one of the following registry subkeys to store the configuration information:
HKEY_CURRENT_USER\Software\Microsoft\WindowsUpd
HKEY_CURRENT_USER\Software\Microsoft\SysUpd

The program also creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}
scan
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEpl.IEpl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEpl.IEPl.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tdev
HKEY_USERS\S-1-5-21-1887652994-1477516851-2064603551-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CA21E6FA-41D9-4F05-9650-8B3FBE72124D}
HKEY_LOCAL_MACHINE\SOFTWARE\TargetSoft
HKEY_CLASSES_ROOT\CLSID\{FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67}
HKEY_CLASSES_ROOT\DosSpecFolder.DosSpecFolder
HKEY_CLASSES_ROOT\DosSpecFolder.DosSpecFolder.1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67}

The program also creates the following files:
%System%\cidrules.dll
%System%\wincore.dll
%System%\winhost32.exe
%System%\winupd.dll
%UserProfile%\Local Settings\Temp\cidrules.dll
%UserProfile%\Local Settings\Temp\wincore.dll

The program periodically makes an HTTP connection to virtumonde.com, on port 80 or 8081, to download commands and popup advertisements.