Skip to main content
Microsoft Security Intelligence
Published Feb 26, 2008 | Updated Sep 15, 2017


Detected by Microsoft Defender Antivirus

Aliases: Backdoor/Win32.Cidox (AhnLab) TR/Kazy.117219.78 (Avira) Trojan.Vundo.GZS (BitDefender) W32/Downldr2.IZLI (Command) Trojan.Mayachok.18579 (Dr.Web) Win32/Citirevo.AE (ESET) W32/Cidox.ACIO!tr (Fortinet) Virus.Win32.Vundo (Ikarus) Trojan.Win32.Cidox.acio (Kaspersky) Vundo (McAfee) RDN/Downloader.a!bm (McAfee) Vundo.gen18 (Norman) Troj/Mdrop-ETG (Sophos) Trojan.Vundo (Symantec) TROJ_CIDOX.DH (Trend Micro)


Windows Defender Antivirus detects and removes this threat.
Win32/Vundo is a multiple-component family of malware that delivers "out of context" pop-up advertisements. Variants of the family may also download and run other files, including malware and adware.

Vundo is often installed as a browser helper object (BHO) without your consent, by other malware.

This family uses advanced defensive and stealth techniques to escape detection and to hinder removal. 

 The following Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.


This threat tries to steal your sensitive and confidential information. You should change your passwords after you've removed this threat:



Recovering from recurring infections on a network

You might need to take the following steps to completely remove this threat from an infected network, and to stop infections from recurring from this and other similar types of network-spreading malware:

  1. Ensure that an antivirus product is installed on ALL computers connected to the network that can access or host shares
  2. Ensure that all available network shares are scanned with an up-to-date antivirus product
  3. Restrict permissions as appropriate for network shares on your network. See Use Access Control to restrict who can use files for more information.
  4. Remove any unnecessary network shares or mapped drives

Note: You might also need to temporarily change the permission on network shares to read-only until the disinfection process is complete.

Disable Autorun functionality

This threat tries to use the Windows Autorun function to spread via removable drives, such as USB flash drives. This is a common malware behavior. You can find out how to turn off this feature in the article How to disable the Autorun functionality in Windows.

Update vulnerable applications

This threat may be distributed through exploits. After removing this threat, make sure that you install all available updates for your PC.

Additional remediation instructions for Win32/Vundo

This threat can make lasting changes to your PC's configuration that are not restored by detecting and removing this threat. There is more information about returning an infected PC to its pre-infected state in the following articles:

Follow us