PC Security Shield Virus Alert: W32.Downadup
| Kido, Win32/Conficker.A [Computer Associates], W32/Downadup.A [F-Secure], Conficker.A [Panda Software], Net-Worm.Win32.Kido.bt [Kaspersky], WORM_DOWNAD.AP [Trend], W32/Conficker [Norman] | |
| Worm | |
| 62,976 bytes | |
| Windows Vista, Windows XP, Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003 | |
| W32.Downadup is a worm that spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874). | |
| Medium | |
| Medium | |
| Remove W32.Downadup with Security Shield (AntiVirus). The Shield Antivirus, (Security Shield) provides total Internet Security and the best protection available from viruses, spyware, hackers, and other e-threats! |
Win32.Worm.Downadup uses new tricks to spread itself without being easily detected.
Once executed, the worm Downadup also known as Conficker, Net Worm, Kido, Worm Download, etc.; copies itself as the following file:
%System%\[RANDOM FILE NAME].dll
Next, the worm deletes any user-created System Restore points.
It creates the following service:
Name: netsvcs
ImagePath: %SystemRoot%\\system32\\svchost.exe -k netsvcs
Then the worm creates the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\"ServiceDll" = "[PathToWorm]"
The worm connects to the following URLs to obtain IP address of the compromised computer:
* [http://]www.getmyip.org
* [http://]getmyip.co.uk
* [http://]checkip.dyndns.org
Next, the worm downloads and executes a file from the following URL:
[http://]/]trafficconverter.biz/4vir/antispyware/loada[REMOVED]
The worm then creates a http server on the compromised computer on a random port, for example:
http://[EXTERNAL IP ADDRESS OF INFECTED MACHINE]:[RANDOM PORT]
The worm then sends this URL as part of its payload to remote computers. Upon successful exploitation, the remote computer will then connect back to this URL and download the worm. In this way, each exploited computer can spread the worm itself, as opposed to downloading from a predetermined location.
Next, the worm connects to a UPnP router and opens the http port. It then attempts to locate the network device registered as the Internet gateway on the network and opens the previously mentioned [RANDOM PORT] in order to allow access to the compromised computer from external networks.
The worm then attempts to download a data file from the following URL:
[http://]/]www.maxmind.com/download/geoip/database/GeoIP.[REMOVED]
The worm spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874). Next, the worm attempts to contact the following sites to obtain the current date:
* http://www.w3.org
* http://www.ask.com
* http://www.msn.com
* http://www.yahoo.com
* http://www.google.com
* http://www.baidu.com
It uses the date information to generate a list of domain names. The worm then contacts these domains in an attempt to download additional files onto the compromised computer.
BitDefender Labs uncovered a new version of the worm called Win32.Worm.Downadup.B. The malware comes with a list of new features, aside from the present spreading routine, which has also shown signs of improvement.
The worm now uses USB sticks to spread. By copying itself in a random folder created inside the RECYCLER directory, used by the Recycle Bin to store deleted files, and creating an autorun.inf file in the root folder of the infected drive, the worm automatically executes if the Autorun feature is enabled.
How to repair: [Repair by using The Shield AntiVirus 2010]
