Follow:

 

Worm:Win32/Vundo.A


Worm:Win32/Vundo.A is a worm that spreads by copying itself to mapped drives in the computer. Vundo is also a family known to display pop-ups that are usually related to fake antivirus software. It may prevent security processes and features from functioning properly.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Threat behavior

Worm:Win32/Vundo.A is a worm that spreads by copying itself to mapped drives in the computer. Vundo is also a family known to display pop-ups that are usually related to fake antivirus software. It may prevent security processes and features from functioning properly.
Installation
Worm:Win32/Vundo.A copies itself as a DLL file with a random file name in the Windows system folder. It then creates a randomly-named mutex to ensure that only one instance of itself is running at any time.
Spreads Via...
Logical Drives
Worm:Win32/Vundo.A spreads by copying itself to mapped drives as either of the following:
  • <drive>:\<random>\<random>.dll
  • <drive>:\<random>.dll
 
where <drive> is the drive letter (for example, Z:) and <random> is a random string.
 
Worm:Win32/Vundo.A then writes an autorun configuration file named 'autorun.inf' pointing to one of the files listed above. When the removable or networked drive is accessed from another machine supporting the Autorun feature, the malware is launched automatically.
Payload
Prevents Security Processes from Running
Worm:Win32/Vundo.A prevents security processes from running. It terminates and deletes the process for the Microsoft Malicious Software Removal Tool (mrt.exe), disables notifications from the Microsoft Security Center, and stops Windows Updates, thus preventing the computer from acquiring Windows security updates. It also disables the phishing filter security feature in Internet Explorer 7.
 
Connects to Remote Servers
Worm:Win32/Vundo.A connects to the following servers and IP address to download malware updates or pop-ups:
  • 85.12.43.102
  • pancolp.com
  • exficale.com
 
Disables Phishing Filter in Internet Explorer 7
Worm:Win32/Vundo.A disables the phishing filter in IE 7 by modifying the registry.
 
Modifies value: "Enabled"
With data: "0"
In subkey: HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
 
Analysis by Jaime Wong

Symptoms

System Changes
The following system changes may indicate the presence of this malware:
  • The absence of the following Microsoft file from your computer:
    mrt.exe
  • Alert notifications from installed antivirus software may be the only symptom(s).

Prevention


Alert level: Severe
First detected by definition: 1.55.1923.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Apr 18, 2009
This entry was first published on: Apr 23, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Vundo.gen.ab (McAfee)
  • Trojan.Win32.Monder.bzea (Kaspersky)