PC Security Shield Virus Alert: W32.Downadup

  • Also Known As
  • Kido, Win32/Conficker.A [Computer Associates], W32/Downadup.A [F-Secure], Conficker.A [Panda Software], Net-Worm.Win32.Kido.bt [Kaspersky], WORM_DOWNAD.AP [Trend], W32/Conficker [Norman]  
  • Type
  • Worm    
  • Infection Length:
  • 62,976 bytes  
  • Systems Affected:
  • Windows Vista, Windows XP, Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003
  • How it spread
  • W32.Downadup is a worm that spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874).
  • Damage Level:
  • Medium
  • Distribution Potential:
  • Medium
  • Removal:
  • Remove W32.Downadup with Security Shield (AntiVirus).
    The Shield Antivirus, (Security Shield) provides total Internet Security and the best protection available from viruses, spyware, hackers, and other e-threats!

    Technical Description

    Win32.Worm.Downadup uses new tricks to spread itself without being easily detected.

    Once executed, the worm Downadup also known as Conficker, Net Worm, Kido, Worm Download, etc.; copies itself as the following file:
    %System%\[RANDOM FILE NAME].dll

    Next, the worm deletes any user-created System Restore points.

    It creates the following service:
    Name: netsvcs
    ImagePath: %SystemRoot%\\system32\\svchost.exe -k netsvcs

    Then the worm creates the following registry entry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\"ServiceDll" = "[PathToWorm]"

    The worm connects to the following URLs to obtain IP address of the compromised computer:

    * [http://]www.getmyip.org
    * [http://]getmyip.co.uk
    * [http://]checkip.dyndns.org

    Next, the worm downloads and executes a file from the following URL:
    [http://]/]trafficconverter.biz/4vir/antispyware/loada[REMOVED]

    The worm then creates a http server on the compromised computer on a random port, for example:
    http://[EXTERNAL IP ADDRESS OF INFECTED MACHINE]:[RANDOM PORT]

    The worm then sends this URL as part of its payload to remote computers. Upon successful exploitation, the remote computer will then connect back to this URL and download the worm. In this way, each exploited computer can spread the worm itself, as opposed to downloading from a predetermined location.

    Next, the worm connects to a UPnP router and opens the http port. It then attempts to locate the network device registered as the Internet gateway on the network and opens the previously mentioned [RANDOM PORT] in order to allow access to the compromised computer from external networks.

    The worm then attempts to download a data file from the following URL:
    [http://]/]www.maxmind.com/download/geoip/database/GeoIP.[REMOVED]

    The worm spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874). Next, the worm attempts to contact the following sites to obtain the current date:

    * http://www.w3.org
    * http://www.ask.com
    * http://www.msn.com
    * http://www.yahoo.com
    * http://www.google.com
    * http://www.baidu.com

    It uses the date information to generate a list of domain names. The worm then contacts these domains in an attempt to download additional files onto the compromised computer.


    BitDefender Labs uncovered a new version of the worm called Win32.Worm.Downadup.B. The malware comes with a list of new features, aside from the present spreading routine, which has also shown signs of improvement.


    The worm now uses USB sticks to spread. By copying itself in a random folder created inside the RECYCLER directory, used by the Recycle Bin to store deleted files, and creating an autorun.inf file in the root folder of the infected drive, the worm automatically executes if the Autorun feature is enabled.


    How to repair:       [Repair by using The Shield AntiVirus]



    The Shield AntiVirus


    Security Shield AntiVirus - Total Internet Security