Vundo Employs Worm Behavior


is a malware family that doesn't need any introduction. It was one of the families added into the MSRT and remains in the top 10 detections every month.

It is commonly reported as a nuisance due to the incessant popups that it delivers to the user desktop--mostly related to rogue programs; slowing down the user's internet connection considerably.

Vundo is well known for its resistance to removal by most anti-virus products. One of the methods it uses is hooking the Appinit_Dlls, or LoadAppInit_DLLs for Windows Vista operating systems. This will cause every process using user32.dll (which doesn't?) to load the dlls listed in this registry key into the process memory. Another trick it uses is to add itself to PendingFileRenameOperations registry key. This basically marks the dll to be renamed to another random name upon reboot. So if the file was marked to be deleted by an AV product for example, upon reboot it would have been renamed and would not be deleted. You'll be happy to know that our products are able to mitigate all these tricks.

Recently, we found new variants that employ replicating behavior by copying itself to mapped drives on the infected machine. It either copies itself into the mapped drive's root directory as a random dll name, or it creates a random directory name and copies the dll in there with the same name. This variant is named Worm:Win32/Vundo.A. We often advise customers to clean machines infected with Vundo offline and reboot afterwards because the process in memory can download the file again even if the malware was deleted sucessfully. Given this new behavior, if you think that you're infected with a new variant of Vundo, try disconnecting from the network before scanning your system.

--Jaime Wong

Comments (0)

Skip to main content