Jan 17, 2009

Downadup worm(updated w/ antidote)

This new worm now has taking its actions in spreading itself. According to news, millions of computers worldwide had been affected by this unfriendly worm. This new worm has a codename "DOWNADUP" but this has also other names like "Kido" and "Conflicker." Some of the effects brought by this worm are the following:

disables some of system services:

-Windows Automatic Update
-Windows Security Center

-Windows Defender
-Windows Error Reporting

it also:

-attacks windows server to prevent updates
-attempt to guess or 'brute force' Administrator passwords used by local networks and spread through network shares.
-the worm infects removable devices and network shares with an autorun file that executes as soon as a USB drive or other infected device is connected to a victim PC.

The worm then connects to a malicious server, where it downloads additional malware to install on the infected computer. This virus can affect today's laptops which uses licensed Windows OS (I guesse) which need updates every now and then.

F-secure tells some of the dangers of this worm:

Upon execution, the Downadup (Kido, Conflicker) worm creates copies of itself in:

  • %System%\[Random].dll
  • %Program Files%\Internet Explorer\[Random].dll
  • %Program Files%\Movie Maker\[Random].dll
  • %All Users Application Data%\[Random].dll
  • %Temp%\[Random].dll
  • %System%\[Random].tmp
  • %Temp%\[Random].tmp

* Note: [Random] represents a randomly generated name.

Each file's timestamp is amended to match the timestamp of the %System%\kernel32.dll file. The worm then creates autorun entries in the registry, which ensure that a copy of the worm is executed at every system startup.

The worm may create the following files on removable and mapped drives:

  • %DriveLetter%\RECYCLER\S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d\[...].[3 random characters]
  • %DriveLetter%\autorun.inf

And attach itself to the following processes:

  • svchost.exe
  • explorer.exe
  • services.exe
The worm disables a number of system features, in order to facilitate its activities. It disables the following Windows services:

  • Windows Automatic Update Service (wuauserv)
  • Background Intelligent Transfer Service (BITS)
  • Windows Security Center Service (wscsvc)
  • Windows Defender Service (WinDefend)
  • Windows Error Reporting Service (ERSvc)
  • Windows Error Reporting Service (WerSvc)

In addition to disabling these services, it checks to see whether it is running on a Windows Vista machine; if so, it also runs the following command to disable Windows Vista TCP/IP auto-tuning:

  • netsh interface tcp set global autotuning=disabled
If the user attempts to access the following, primarily security-related domains, their access is blocked:

  • virus
  • spyware
  • malware
  • rootkit
  • defender
  • microsoft
  • symantec
  • norton
  • mcafee
  • trendmicro
  • sophos
  • panda
  • etrust
  • networkassociates
  • computerassociates
  • f-secure
  • kaspersky
  • jotti
  • f-prot
  • nod32
  • eset
  • grisoft
  • drweb
  • centralcommand
  • ahnlab
  • esafe
  • avast
  • avira
  • quickheal
  • comodo
  • clamav
  • ewido
  • fortinet
  • gdata
  • hacksoft
  • hauri
  • ikarus
  • k7computing
  • norman
  • pctools
  • prevx
  • rising
  • securecomputing
  • sunbelt
  • emsisoft
  • arcabit
  • cpsecure
  • spamhaus
  • castlecops
  • threatexpert
  • wilderssecurity
  • windowsupdate
  • nai
  • ca
  • avp
  • avg
  • vet
  • bit9
  • sans
  • cert
-The people who are handling licensed versions of Windows OS are advised to download the latest updates of windows defender.
-also, please check updates of your antivirus to protect your PC.

F-secure provided the disinfection tool for downadup:
Note: these are command line tools, please read the text file included in the ZIP for additional details.


Rammyboi said...

woah! kakatakot ha.. for the orig XP users. ahahha pero bitaw your admin password is spread throught the network if nka LAN ang PC. tnx for this info. :D

trashman said...

yah...sobrang damage na...almost 9 million PC..tsktsk

The Siraniks said...

grabe... hindi kaya to hoax? pero tnx... apektohan me ng huelar.. .hehe... repair to the max naman.

trashman said...

hala...hahahaha...kill mo muna process then use nod 32 to delete folder.exe, then noob killer...

di to hoax nash, alarming na nga maxado...

Dexter | said...

Tinamaan ang offic ecomputer ko nito.. magulong virus ito

trashman said...

sa PSVX po meron mge tips and hints para tanggalin ang downadup aka conficker..