W32.Downadup.B

W32.Downadup.B spreads through the use of Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability. This threat also prevents the user from visiting security related websites.

Discovered: January 30, 2009
Filesize: 159,854 BYTES
MD5 Hash: 08F3CE046FF7EFD50FD60BB3C6457A32
Aliases: Worm:W32/Downadup.AL (F-Secure), Win32/Conficker.B (Computer Associates), W32/Confick-D (Sophos), WORM_DOWNAD.AD (Trend), Net-Worm.Win32.Kido.ih (Kaspersky), Conficker.D (Panda Software), W32.Downadup (Symantec)

The worm creates the following files.

  • %ProgramFiles%\Internet Explorer\[RANDOM FILE NAME].dll
  • %ProgramFiles%\Movie Maker\[RANDOM FILE NAME].dll
  • %System%\[RANDOM FILE NAME].dll
  • %Temp%\[RANDOM FILE NAME].dll
  • C:\Documents and Settings\All Users\Application Data \[RANDOM FILE NAME].dll

The following file will be modified.

  • %System%\drivers\tcpip.sys

The worm creates the following registry keys if not present already.

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\"dl" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\"dl" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\"ds" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\"ds" = "0"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\Parameters\"ServiceDll" = "[PATH TO WORM]"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\"Type" = "4"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\"Start" = "4"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\"ErrorControl" = "4"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM NAME]" = "rundll32.exe "[RANDOM FILE NAME].dll", ydmmgvos"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL\"CheckedValue" = "0"

The worm will attempt to speed up network access to spread faster.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"TcpNumConnections" = "00FFFFFE"

The worm also deletes all system restore points.


Add this page to your favorite Social Bookmarking websites
Reddit! Del.icio.us! Mixx! Free and Open Source Software News Google! Live! Facebook! StumbleUpon! TwitThis Joomla Free PHP
< Prev   Next >