Vundo uses Worm Behavior

June 25, 2009 Computer Safety Tip

Vundo comes from the malware family. It was one of the families added into the MSRT and remains in the top 10 untitled1 detections every month.

Vundo is regularly reported as an irritation due to the continuous pop-ups that it delivers to the user’s desktop, mostly related to rogue programs; slowing down the user’s internet connection drastically.

Vundo is well known for its difficulty in being removed by most anti-virus products. One of the methods it uses is hooking the Appinit_Dlls, or LoadAppInit_DLLs for Windows Vista operating systems. This will cause every process using user32.dll (which doesn’t?) to load the dlls listed in this registry key into the process memory.

Another trick the Vundo uses is to add itself to PendingFileRenameOperations registry key. This basically marks the dll to be renamed to another random name upon reboot.

New variants were found that employ replicating behaviour by copying itself to mapped drives on the infected machine. It will either copy itself into the mapped drive’s root directory as a random dll name, or it creates a random directory name and copies the dll in there with the same name.

This variant is named Worm:Win32/Vundo.A. Customers have been advised to clean machines infected with Vundo offline and reboot afterwards because the process in memory can download that file again even if the malware was deleted.

If you think you are infected with a new variant of Vundo, try disconnecting from the Internet before scanning your system.