Author Topic: Removal of latest vundo-fake av scanner very difficult....  (Read 3755 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 32770
  • malware fighter
Removal of latest vundo-fake av scanner very difficult....
« on: April 24, 2009, 04:22:18 PM »
The Vundo fake-avscanner belongs to one of the most active malware families of recent years and now uses another trick to block removal. The removal of standard variants is difficult, because they may hijack various DLL-files to load these into memory afterwards. Another trick is to add itself to a registry-key that makes the DLL-file is renamed at every reboot. When the av-scanner wants to delete the file at reboot, it has already been renamed  to escape that action in order to remain on the OS.
The newest variant that MS found recently spreads itself to coupled disks. Either it places itself in the rootdirectory of that disk, or creates a random directory name and places its DLL-file there. So it is advised to go off the Internet before scanning. The Vundo process in memory can download the file anew, even if the malware has been cleansed succesfully prior to that.

Vundo downloads a number of files from various sites. To block these sites through a FW is a good option:

The IP-addresses and/or domains to be blocked are:

85.12.43.102
pancolp.com
exficale.com

More info on the malware mentioned here:

http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fVundo.A

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!