Home / malware Worm:Win32/Vundo.A
First posted on 24 April 2009.
Source: SecurityHomeAliases :
Worm:Win32/Vundo.A is also known as Also Known As:Vundo.gen.ab (McAfee), Trojan.Win32.Monder.bzea (Kaspersky).
Explanation :
Worm:Win32/Vundo.A is a worm that spreads by copying itself to mapped drives in the computer. Vundo is also a family known to display pop-ups that are usually related to fake antivirus software. It may prevents security processes and features from functioning properly.
Symptoms
System ChangesThe following system changes may indicate the presence of this malware:The absence of the following Microsoft file from your computer:
mrt.exeAlert notifications from installed antivirus software may be the only symptom(s).
Worm:Win32/Vundo.A is a worm that spreads by copying itself to mapped drives in the computer. Vundo is also a family known to display pop-ups that are usually related to fake antivirus software. It may prevents security processes and features from functioning properly.
Installation
Worm:Win32/Vundo.A copies itself as a DLL file with a random file name in the Windows system folder. It then creates a randomly-named mutex to ensure that only onle instance of itself is running at any one time.Spreads Via...Logical DrivesWorm:Win32/Vundo.A spreads by copying itself to mapped drives as either of the following:<drive>:<random><random>.dll <drive>:<random>.dll where <drive> is the drive letter (for example, Z:) and <random> is a random string. Worm:Win32/Vundo.A then writes an autorun configuration file named 'autorun.inf' pointing to one of the files listed above. When the removable or networked drive is accessed from another machine supporting the Autorun feature, the malware is launched automatically.
Payload
Prevents Security Processes from RunningAs part of its malware routine, Worm:Win32/Vundo.A prevents security processes from running. It terminates and deletes the process for the Microsoft Malicious Software Removal Tool (mrt.exe), disables notifications from the Microsoft Security Center, and stops Windows Updates, thus preventing the computer from acquiring Windows security updates. It also disables the phishing filter security feature in Internet Explorer 7. Connects to Remote ServersWorm:Win32/Vundo.A connects to the following servers and IP address to download malware updates or pop-ups:85.12.43.102 pancolp.com exficale.com Disables Phishing Filter in Internet Explorer 7Worm:Win32/Vundo.A disables the phishing filter in IE 7 by modifying the registry. Modifies value: "Enabled"With data: "0"In subkey: HKCUSoftwareMicrosoftInternet ExplorerPhishingFilter
Analysis by Jaime WongLast update 24 April 2009