One of the top families of malicious code targeting the Windows platform has evolved with the addition of worm behavior, Microsoft warns. According to data made public via the Microsoft Security Intelligence Report, the Win32/Vundo Trojan infected over 3.6 million computers in the second half of 2008, and occupies the third position in a malware ranking behind Renos and Zlob. Vundo is a family of malware with various components that are designed to serve victims 'out of context' pop-up advertisements following infection. Microsoft warns that the Vundo family of malicious software can also be used to download and execute arbitrary files.

“Recently, we found new variants that employ replicating behavior by copying itself to mapped drives on the infected machine. It either copies itself into the mapped drive's root directory as a random dll name, or it creates a random directory name and copies the dll in there with the same name. This variant is named Worm:Win32/Vundo.A. We often advise customers to clean machines infected with Vundo offline and reboot afterwards because the process in memory can download the file again even if the malware was deleted successfully. Given this new behavior, if you think that you're infected with a new variant of Vundo, try disconnecting from the Internet before scanning your system,” recommends Jaime Wong, Microsoft spyware analyst.

In a common infection scenario involving Vundo, users will see a high volume of incessant popups displaying directly on the desktop. The advertisements are focused on rogue security software and will handicap Internet connectivity considerably. The Redmond company warns that Vundo utilizes a variety of tricks in order to avoid detection and removal.

“One of the methods it uses is hooking the Appinit_Dlls, or LoadAppInit_DLLs for Windows Vista operating systems. This will cause every process using user32.dll (which doesn't?) to load the dlls listed in this registry key into the process memory. Another trick it uses is to add itself to PendingFileRenameOperations registry key. This basically marks the dll to be renamed to another random name upon reboot,” Wong added.