Worm:Win32/Vundo.A is a worm that spreads by copying itself to mapped drives in the computer. Vundo is also a family known to display pop-ups that are usually related to fake antivirus software. It may prevent security processes and features from functioning properly.
Worm:Win32/Vundo.A copies itself as a DLL file with a random file name in the Windows system folder. It then creates a randomly-named mutex to ensure that only one instance of itself is running at any time.
Worm:Win32/Vundo.A spreads by copying itself to mapped drives as either of the following:
where <drive> is the drive letter (for example, Z:) and <random> is a random string.
Worm:Win32/Vundo.A then writes an autorun configuration file named 'autorun.inf' pointing to one of the files listed above. When the removable or networked drive is accessed from another machine supporting the Autorun feature, the malware is launched automatically.
Prevents Security Processes from Running
Worm:Win32/Vundo.A prevents security processes from running. It terminates and deletes the process for the Microsoft Malicious Software Removal Tool (mrt.exe), disables notifications from the Microsoft Security Center, and stops Windows Updates, thus preventing the computer from acquiring Windows security updates. It also disables the phishing filter security feature in Internet Explorer 7.
Connects to Remote Servers
Worm:Win32/Vundo.A connects to the following servers and IP address to download malware updates or pop-ups:
Disables Phishing Filter in Internet Explorer 7
Worm:Win32/Vundo.A disables the phishing filter in IE 7 by modifying the registry.
Modifies value: "Enabled"
With data: "0"
In subkey: HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
Analysis by Jaime Wong
The following system changes may indicate the presence of this malware: