You have been re-routed to the Trojan:Win32/Vundo.RU write up because Trojan%3aWin32%2fVundo.RU has been renamed to Trojan:Win32/Vundo.RU


Microsoft security software detects and removes this threat.

Trojan:Win32/Vundo.RU is a variant of Win32/Vundo, a multiple-component family of programs that display pop-up ads. They also download and run files and stop security programs from running.

What to do now

The following Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Threat behavior


When run, Trojan:Win32/Vundo.RU copies itself into the %APPDATA% folder as exp.exe.

It changes the following registry entry to make sure its copy runs every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "~backup~"
With data: "%APPDATA%\exp.exe"

Trojan:Win32/Vundo.RU injects its entire code into all processes (except for browser processes) so that it has a persistent presence in your PC.


Stops security-related processes

Trojan:Win32/Vundo.RU stops security-related programs from running if the process name is any of the following:

  • avastsvc.exe
  • avastui.exe
  • avgnsx.exe
  • avgnt.exe
  • avgrsx.exe
  • avgtray.exe
  • avguard.exe
  • avp.exe
  • avshadow.exe
  • bdagent.exe
  • ccsvchst.exe
  • cfp.exe
  • coreserviceshell.exe
  • dwengine.exe
  • dwservice.exe
  • ecls.exe
  • egui.exe
  • ekrn.exe
  • mcshield.exe
  • mctray.exe
  • msmpeng.exe
  • msseces.exe
  • uiseagnt.exe
  • vba32ldr.exe
  • vbascheduler.exe
  • vmacthlp.exe
  • vmsrvc.exe
  • vmtoolsd.exe
  • vmusrvc.exe
  • vpcmap.exe

Displays out-of-context ads

Trojan:Win32/Vundo.RU displays ads via your browser that are often out of context. It does this by checking the Internet traffic that goes through Chrome, Firefox, Internet Explorer, or Opera, if you're using any of these browsers. Once determined, it injects code into the web pages, which displays pop-up ads

Collects information about your PC

Trojan:Win32/Vundo.RU collects information about your PC and saves it into a file named cf in the Cookies folder. It collects the following information:

  • Operating system version
  • Operating system architecture (whether your PC is 32-bit or 64-bit)
  • Whether your PC is running in a virtual or a physical environment

Downloads files

Trojan:Win32/Vundo.RU can download and run files, which might be other malware.

Analysis by Zarestel Ferrer


The following could indicate that you have this threat on your PC:

  • You have this file: exp.exe
  • You see this entry in your registry:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "~backup~"
    With data: "%APPDATA%\exp.exe"


Alert level: Severe
First detected by definition:
Latest detected by definition: 1.203.1578.0 and higher
First detected on: Apr 19, 2013
This entry was first published on: Oct 17, 2013
This entry was updated on: Oct 21, 2013

This threat is also detected as:
No known aliases