ElitED
2007-08-30, 22:19
Out of the blue yesterday, S&D on a normal reboot autoscan detected 'Virtumonde' in a dll file in my SYSTEM32 directory. I am suspicious of this as this machine is not used for any unsual activity, I have the current Norton AV w/ subscription running all the time (and has been updated/running for years on this machine), MS WinDefender is running and current, and of course the best, S&D running with immunization and realtime protection options all up.
I noticed there seems to be an update of some sort for Virtumonde in the latest update file for S&D which was issued around the time of yesterday's curious scan. Looking back in the logs for prior scans, I see the same dll was flagged as 'Virtumonde library' on a scan on the 23rd of the month too, but there was no prompting to fix it as that scan was likely done overnight not on a reboot. Other than some tracking cookie and reg entries, S&D had no other hits.
I allowed S&D to 'fix' the Virtumonde problem, but it required a reboot as the file could not be deleted.
Upon reboot and rescan, the dll file was still there. I tried this sequence twice. I then ran the Kaspersky online scan and it did not complain about Virtumonde - only finding the old quarantined macro virus infected word files from years ago. Furthermore, I was able to go into Explorer and simply delete the 'infected' dll file without any problem.
The filename in question is:
C:\WINDOWS\SYSTEM32\susrtas.dll
Size: 31.0 KB (31,747 bytes)
Created: April 15, 2006, 10:20:17 PM
Modified: May 21, 1996, 4:28:24 PM
Accessed: August 30, 2007, 11:48:03 AM <Probably from my manual scan attempts with Kaspersky, NaV, etc.>
I googled and searched online in several places and found no reference to the filename so I have no idea when it was added and by what. I find it strange that no hits were made for the filename anywhere - usually legit DLL files get posted about somewhere on the web!
I would be happy to send a copy of the dll to help in figuring out if this is a false hit.
Thanks for your help.
I noticed there seems to be an update of some sort for Virtumonde in the latest update file for S&D which was issued around the time of yesterday's curious scan. Looking back in the logs for prior scans, I see the same dll was flagged as 'Virtumonde library' on a scan on the 23rd of the month too, but there was no prompting to fix it as that scan was likely done overnight not on a reboot. Other than some tracking cookie and reg entries, S&D had no other hits.
I allowed S&D to 'fix' the Virtumonde problem, but it required a reboot as the file could not be deleted.
Upon reboot and rescan, the dll file was still there. I tried this sequence twice. I then ran the Kaspersky online scan and it did not complain about Virtumonde - only finding the old quarantined macro virus infected word files from years ago. Furthermore, I was able to go into Explorer and simply delete the 'infected' dll file without any problem.
The filename in question is:
C:\WINDOWS\SYSTEM32\susrtas.dll
Size: 31.0 KB (31,747 bytes)
Created: April 15, 2006, 10:20:17 PM
Modified: May 21, 1996, 4:28:24 PM
Accessed: August 30, 2007, 11:48:03 AM <Probably from my manual scan attempts with Kaspersky, NaV, etc.>
I googled and searched online in several places and found no reference to the filename so I have no idea when it was added and by what. I find it strange that no hits were made for the filename anywhere - usually legit DLL files get posted about somewhere on the web!
I would be happy to send a copy of the dll to help in figuring out if this is a false hit.
Thanks for your help.