Virtumonde.sdn

[marjohnau]

The last two weeks, after updating with the latest definitions, at the conclusion of a scan Spybot reports a Virtumonde.sdn infection, as follows:

Virtumonde.sdn: [SBI $4F0ABAF2] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PFW

I suspect that this may be a false positive, but would appreciate help from those in the know. If it's not a false positive, what steps should I follow to fix the problem?

OS: Windows XP SP3 Professional
Browser: IE6
Spybot: 1.6.0.30
Latest definitions Update: 28 April 2010
Report appeared following a routine scan

Regards,

John

Image of the Registry key involved is attached:

[spybotsandra]

Hello,

You seem to be using a dated version of Spybot-S&D.
Please uninstall Spybot - Search & Destroy according to the following link.
Then download our current version Spybot - Search & Destroy 1.6.2.
You will find links to several download locations for this new version on our web site.

Best regards
Sandra
Team Spybot

[Yodama]

hello John,

please look for the following file on your computer: UmxWnp.dll
the Virtumonde.sdn detection your receive is connected to this file.

If you find the file please send it to detections@spybot.info along with a full Spybot S&D report file for analysis.

If you do not find the file you can safely fix the item Spybot S&D finds.


Please also consider upgrading your Internet Explorer to the current version. The Internet Explorer 6.0 is very outdated and very vulnerable, it is also not compatible to common web standards.

[marjohnau]

Yodama,

Thanks to both you and Sandra for your replies to my post.

I have taken Sandra's advice and installed version 1.6.2; following that I downloaded the latest updates etc. and then did a scan.

Once again Spybot reported a Virtumonde.sdn infection, so I searched for and found the file UmxWNP.dll; I have sent it with the log file to the address provided.

Looking forward to receiving the results of the analysis.

Regards,

John

PS. I'll also take your advice regarding upgrading IE to the latest version, but it will have to wait a *little* longer.

[Yodama]

Thanks for your feedback and for sending in the requested file.
I can confirm that it is a false positive.
The next detection update will correct this issue, you can also exclude this false positive from further searches as described in the email reply.

[marjohnau]

Yodama,

Thanks to you, and all involved, for the prompt analysis of the file, and for the confirmation that it is a false positive.

Appreciate your friendly and helpful service.

Regards,

John