locked
Win32/Vundo.gen!D detected in Skype process RRS feed

  • Question

  • Has anybody experienced Skype's process (not its files) being detected as Win32/Vundo.gen!D? I ran into this issue today when WIndows Live OneCare closed Skype while I was in a call. I believe this may be a false detection, but it is recurring since it was detected once again by the Windows Live Safety Scanner.

     

    This is Vista x64 usally running under a standard user account.

     

    Is there any real threat here?

    Sunday, April 20, 2008 10:33 AM

Answers

All replies

  • I just had it around time of your post. I use Vista x32.

    Interestingly skype just got closed with message quarantined but skype program is not placed in quarantine

    What should we do now ?

    Call the support ? - they probably all sleep.

     

    Sunday, April 20, 2008 11:14 AM
  • I suspect that calling support will be the suggested course of action, but I'm in no hurry since Skype is running as a limited user so even if it is trying to install a malicious browser helper object, the Windows Vista mechanisms will keep it from getting installed even if it bypasses Windows Live OneCare somehow. I'll wait and see if someone already has an answer.

     

    For reference, my Skype version is Skype 3.6.0.248 and Windows Live OneCare 2.0.2500.22 with Virus and spyware definition 1.31.9062.0.
    Sunday, April 20, 2008 11:29 AM
  • I just had the same incident... I was testing the new(?) web-based OneCare (beta) scan and it found this Trojan in my process of Skype. I have the Chinese version "Tom-Skype 3.6.4.136" .. Could it be a false alarm?
    Sunday, April 20, 2008 2:42 PM
  •  

    Same versions as Brant and same problem.  I stepped away from the computer for about an hour and when I came back I saw the warning message.  Very odd...

     

    Also I'm running Windows XP 32bit, and Skype runs under a limited user account, so I'm not so worried, but still....

    Sunday, April 20, 2008 2:47 PM
  • I also got a message this morning from Live OneCare that it had quaranined the Trojan: Win32/Vundo.gen!D
    It did not say that it was in Skype, in fact I could not find any more details about it from OneCare, but I do remember that the system had stopped Skype yesterday - something that it had never done before. All a bit odd.

    Running Vista Ultimate x32

    Martin.
    Sunday, April 20, 2008 5:59 PM
  • The same message (which is unrelated to Skype) from OneCare this morning. Skype has been stopped. WindowsXP MCE SP2 32 bit with all updates.

    Sunday, April 20, 2008 9:20 PM
  • The same message from OneCare yesterday and this morning. Skype icon in quick launch disappears. Skype has been stopped. System Windows XP MCE SP2 32 bit updated. Trojan not to be found under parameters/virus&spyware/quarantine, thus cannot be deleted ! What can we do about this ?

    Monday, April 21, 2008 9:01 AM
  • This must be something to do with the heuristic scanning used by Microsoft's AV products as I started getting the same issue with the Forefront client on Vista x64. It seems to be an issue with Skype v3.6.0.248 only as I ran a Forefront scan with the same pattern files etc on a computer with an earlier version of Skype and it did not detect it.
    Monday, April 21, 2008 9:42 AM
  • I started a thread on the Skype forums here:

     

    http://forum.skype.com/index.php?showtopic=122041

     

    Sarouk:

     

    I'm not too worried on this one yet.  You won't find the anything in the quarantine since it's finding the problem in the process, but not the actual executable file.  Skype is trying to do something that or is behaving in a way that's making WLOC a bit nervous me thinks.  Maybe an oversite in the latest definitions update? 

    Monday, April 21, 2008 9:43 AM


  • Hi

    I also have just started to encountered this problem and have experienced pretty much the
    same symptoms as other posters

    Running Vista X32 Ultimate
    Skype 3.6.0.248

    Monday, April 21, 2008 10:54 AM
  • I also have the problem. I have even tried a previous version. Stil the same the process ### has Win32/Vundo.genID

    I have unintall skype completely and did a full scan. The full scan reported no problems. I need to know if its One Care crying wolf.

     

    Yours

     

    ParTay

     

    Monday, April 21, 2008 11:51 AM
  • Have the virus quarantined by Live OneCare and you get it back at the next start.

    Remove Skype and the virus is gone and doesn't turn up again.

    Reinstall Skype and the virus is back on your system.

    Monday, April 21, 2008 12:43 PM
  •  

    Hi everyone I am getting this

    Microsoft Forefront Client Security Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Microsoft Forefront Client Security can't undo changes that you allow.
    For more information please see the following:
    http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Vundo.gen!D&threatid=2147602644
    Scan ID: {069EEB56-4541-4EB5-80F5-44F6F0D73AFE}
    Agent: On Access
    User: \
    Name: Trojan:Win32/Vundo.gen!D
    ID: 2147602644
    Severity: Severe
    Category: Trojan
    Path Found: file:C:\Program Files\Skype\Phone\Skype.exe
    Alert Type:
    Process Name:
    Detection Type: Concrete
    Status: Allow

     

    even when u allow the skype it then shows the processes as being the error

     

    Microsoft Forefront Client Security scan has detected spyware or other potentially unwanted software.
    For more information please see the following:
    http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Vundo.gen!D&threatid=2147602644
    Scan ID: {717D73AC-8D0E-4BCB-AE5B-708F3A160F23}
    Scan Type: AntiMalware
    Scan Parameters: Quick Scan
    User: NT AUTHORITY\NETWORK SERVICE
    Name: Trojan:Win32/Vundo.gen!D
    ID: 2147602644
    Severity: Severe
    Category: Trojan
    Path Found: process: pid:3340
    Detection Type: Generic

     

    so it is linked to a process

     

    any ideas?

     

    Monday, April 21, 2008 2:07 PM
  • I am getting this now on XP x64 (3790.srv03_sp2_gdr.070321-2337) with Skype Beta 3.8.0.96 and Forefront:

    Client Version: 1.5.1941.0
    Engine Version: 1.1.3408.0
    Antivirus definition: 1.31.9091.0
    Antispyware definition: 1.31.9091.0

    To be honest, as irritating as it is that MS is falsely detecting the trojan in this process, I am just as curious as to what Skype has begun doing in recent versions that makes Forefront think it is a trojan.
    Monday, April 21, 2008 2:37 PM
  •  

    Client Version: 1.5.1941.0

    Engine Version: 1.1.3408.0

    Antivirus definition: 1.31.9091.0

    Antispyware definition: 1.31.9091.0

     

    it seems to be tied in to the most recent update of FCS

    Monday, April 21, 2008 2:44 PM
  • I've reported this to the OneCare team and I'm sure it will make it's way to the antimalware team responsible for the signatures used by OneCare, Forefront, Defender and the OneCare free Safety scanner.
    If you still wish to report this - see this post for how to report both infections and possible false positives to Microsoft - http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=662566&SiteID=2



    -steve

    Monday, April 21, 2008 4:29 PM
    Moderator
  •  

    Thanks Steve. I looked into filing my own report, but the instructions don't really cover a process-based infection as opposed to a file-based infection.
    Monday, April 21, 2008 4:54 PM
  • Same thing happened to me yesterday 4/20/2008 and again today when my once a day early morning scan ran and I did notice that skype was shut down.   The name of the virus is "Trojan:Win32\Vundo.gen!D". Yesterday, I ran several online Virus scanners (ewido, Panda, & McAfee) and all of deteced nothing except for a few minor cookies that track information.  Today I ran the Microsoft Online Safety Scanner (Beta for Vista) at http://onecare.live.com/site/en-us/default.htm without skype running first and detected nothing, then with skype running first.  Shortly after starting Safety Scan with skype active my installed One Care came up and detected a different virus "TrojanDownloader:HTML/Agent.K" virus which it removed it in two places.
     
    1) ...\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0GBXKCD9\index[1].htm
     
    2) ...\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0GBXKCD9\index[1].htm->(SCRIPT0001)->(EmbeddedCode)
     
    Then a few seconds later OneCare popped up and said It had detected the first virus again "Trojan:Win32\Vundo.gen!D".  It did not say anyhing about removing or quarintining it.  It only said "detected".  Meanwhile the Online Safety scan is continning to scan through my system.
     
    The Online Safety Scanner says it has found four issues:
     
    1) TrojanDownloader:Java/Agent.B
    2) Exploit:Java/ByteVerify.E
    3) Java/ByteVerify.D
    4) Win32/Vundo.gen!D
     
    Online Safety Scanner does not provide removal capability, only detection Sad.........but I believe all of these are false positives because everyone started having similiar problems beginning yesterday and because I have no system degradation.  My system is running at full speed Smile
    Monday, April 21, 2008 5:24 PM
  • Why does the Microsoft Live Virus Encyclopedia rate "Win32/Vundo.gen!D" as threat "Low" and Microsoft One Care rates it as Threat "Severe"?
    Monday, April 21, 2008 7:00 PM
  • So today the problem seems to have vanished, possibly with updated definitions.  How do we know if this was a false alarm, or if we are all infected with some new Skype-borne trojan that has simply morphed to avoid detection?
    Tuesday, April 22, 2008 4:23 PM
  • I received no reply from the OneCare team when I reported it yesterday. However, if you no longer have the issue, either the signature update resolved it or Skype changed their code. I'm guessing it would be the former.

    -steve

     

    Tuesday, April 22, 2008 4:26 PM
    Moderator
  • Maybe it all happened because of way Skype add-on for IE7 is written.

    Despite I disabled addon in Internet Options and also changed zone to medium-high I get information bar with orange shield when visiting certain Ebay auctions. Before change I was getting yellow prompt asking Skype to run.

    Long time ago on XP machine I always ran Skype from dropmyrights.exe program and did not have any prompts in IE
    Tuesday, April 22, 2008 8:38 PM
  • I did not have the IE add-on installed. So that was not a contributing factor.

    Tuesday, April 22, 2008 8:50 PM
  • yes you had. Add-on is in Skype.exe file

     

    Tuesday, April 22, 2008 9:00 PM
  •  

    If it is contained in the main executable, then yes it was present. However, it was not installed. I specifically chose not to install it since I'm using the IE8 Beta where it causes problems.
    Tuesday, April 22, 2008 9:05 PM
  • You may (or may not) be pleased to know that Microsoft has now acknowledged this as a false positive and that later versions of the signature definition files (1.31.9121.0 and later) no longer report this problem.

     

    Wednesday, April 23, 2008 6:38 PM