Virtumonde windshield malware

February 9, 2009

SonicWALL UTM Research team observed a new interesting social engineering trick to install malware: hackers are using fake parking violation warnings to trick motorists into visiting malware-infested websites.

A windshield flier was left in cars with a website address linked to a malicious file. The fliers said:

  PARKING VIOLATION  This vehicle is in violation of  standard parking regulations.  To view pictures with information about  your parking preferences, go to  

The website serves the malicious file to the user:

This malware: PictureSearchToolbar.exe is detected by SonicWALL as GAV: AgentBypass_6 (Trojan).



It is a variant of Virtumonde / Vundo family of trojan horse that cause popups and advertises rogue antispyware programs. (aka Win32/Vundo.JI [Microsoft]). PictureSearchToolbar.exe is 56,832 bytes in size and when it runs it drops these files on the system:

  • %Temp%awtrQGay.bat - 63 bytes
  • %System%yayyXRKe.dll - 38,912 bytes

It injects yayyXRKe.dll in explorer.exe process.

It also creates the following registry entries:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionControl PanelSettings
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyyayyXRKe
  • HKEY_CURRENT_USERSoftwareMicrosoftcs41275

It then attempts to download and save it as %System%awtrQGay.dll.

Downloaded malware: awtrQGay.dll is detected by SonicWALL as GAV: Monder_3 (Trojan), it is another variant of Virtumonde/Vundo trojan and attempts to install Fake Antivirus software from

SonicWALL Gateway AntiVirus provides protection against this attack via GAV: Monder_3 (Trojan) and GAV: AgentBypass_6 (Trojan) signatures.

The following figures shows the recorded hits for GAV: Monder_3 (Trojan) signature.