Summary

Summary
Action
More Information
| Affected operating systems | Windows |
|---|---|
| Protection available since | 19 October 2007 20:12:09 (GMT) |
| Last updated | 3 November 2009 00:35:14 (GMT) |
| Detected by | All Sophos products |
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action

Summary
Action
More Information
Issue
How to remove Troj/Virtum-Gen (also known as Virtumundo) from your computers.
Sophos product and version
Sophos Anti-Virus for Windows 2000+
Operating system
Windows 2000, Windows XP, Windows 2003
What to do
IMPORTANT: Do not attempt to use SAV32CLI to remove Troj/Virtum-Gen (Virtumundo).
If a Sophos on-access, or on-demand, scan detects Troj/Virtum-Gen, the 'Clean Up' and 'Delete' options become unavailable. You must run a full system scan to remove it. You can run the scan either from Enterprise Console or locally on the infected computer.
- Run a full system scan:
- From Enterprise Console,
- In the console, right-click the infected computer.
- From the menu, select 'Full system scan'.
- On the infected computer(s)
- Right-click the Sophos shield and select 'Open Sophos Anti-Virus'.
- Click 'Set up a new scan'.
- Select all drives.
- Click 'Configure this scan'.
- In the dialog box, ensure that 'Scan all files' is selected, click OK.
- Click 'Save and start'.
- From Enterprise Console,
- Once the scan completes, the 'Clean Up' option should be available. Select that option.
- When prompted, reboot the computer(s).
- Run a second scan to verify that Troj/Virtum-Gen has been removed.
If this procedure fails to remove Troj/Virtum-Gen, contact Sophos Technical Support.
If you need more information or guidance, then please contact technical support.
These instructions are also available in the knowledge base article: Troj/Virtum-Gen (Virtumundo) clean up procedure.
More Information
Troj/Virtum-Gen, also known as Virtumundo, is a family of malware which is used as a distribution network for other malicious software. Troj/Virtum-Gen is most commonly encountered as a dll file which is injected into web browsers. The Trojan then modifies search results, displays popups and downloads other malware.
Troj/Virtum-Gen is a large family, with new versions of the Trojan released frequently, somtimes more than once per day. It also uses server side polymorphism in an attempt to conceal new versions from anti-virus scanners.
Troj/Virtum-Gen is usually installed into the system folder as a dll with a randomly generated name, usually 8 characters long, such as qonfxmme.dll or pwygsrbl.dll
Several examples of the behavior of Troj/Virtum-Gen are described in the SophosLabs blog:
Virtumundo - a malware distribution service
A Virtual World of Mal-Intent
Send malware the easy way...

