Several of the PC's on our network have been infected by what seems to be a strain of vundo. The infected machines were not pulling down updates from the WUS and vundo was punch through the security holes. After clearing the machines and comparing the combofix logs, I noticed some similarities. All of the machines hsowed similar files connected to vundo, however, some that DID have all the security updates had these files shown as infected:
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
It also shows this:
----- BITS: Possible infected sites -----
Seems to be too much of a coincidence. Any thoughts? Could the WSUS server be infected as well?