Virtumundo Goes Auto
The behaviour of most autorun worms is generally predictable. They copy themselves to the system folder, create an autorun file, spread to any available removable storage devices or network shares and change registry entries to enable themselves to run automatically. There are sometimes minor variations but the theme is usually the same.
Even so I have to admit that I am rather fascinated by this form of malware and always happy to open up a can of worms for analysis.
So imagine my excitement this lunchtime when I came across an autorun worm with an added extra wriggle in the form of a Virtumundo file. Yes folks, Virtumundo has learnt the tricks of autorun and is now trying to inch its way round your removable storage devices and network shares.
Unhappily for the malware author, the behaviour of this little worm was noticed and halted by the eagle-eyed HIPS (Host Intrusion Protection System).
In addition the Virtumundo sting in the worm’s tail is already detected as Troj/Virtum-Gen and the autorun file is detected as Mal/Autoinf-B
Exciting as it was to observe the arrival of a new form of Virtumundo it really didn’t stand a chance.
Posted on March 18th, 2009 by Julie Yeates, SophosLabs UKFiled under: Malware
Windows 7 security - A great leap forward or business as usual?
