W32.Downadup is a worm that spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874).

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
CVE References: CVE-2008-4250

Once executed, the worm copies itself as the following file:
%System%\[RANDOM FILE NAME].dll

Next, the worm deletes any user-created System Restore points.

It creates the following service:
Name: netsvcs
ImagePath: %SystemRoot%\\system32\\svchost.exe -k netsvcs

Then the worm creates the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\”ServiceDll” = “[PathToWorm]”

The worm connects to the following URLs to obtain IP address of the compromised computer:

Next, the worm downloads a file from the following URL and executes it:
[http://]trafficconverter.biz/4vir/antispyware/loada[REMOVED]

The worm then creates a http server on the compromised computer on a random port, for example:
http://%5BEXTERNAL IP ADDRESS OF INFECTED MACHINE]:[RANDOM PORT]

The worm then sends this URL as part of its payload to remote computers.

Upon successful exploitation, the remote computer will then connect back to this URL and download the worm.

In this way, each exploited computer can spread the worm itself, as opposed to downloading from a predetermined location.

Next, the worm connects to a UPnP router and opens the http port.

It then attempts to locate the network device registered as the Internet gateway on the network and opens the previously mentioned [RANDOM PORT] in order to allow access to the compromised computer from external networks.

The worm then attempts to download a data file from the following URL:
[http://]www.maxmind.com/download/geoip/database/GeoIP.[REMOVED]

The worm spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874).

Next, the worm attempts to contact the following sites to obtain the current date:

It uses the date information to generate a list of domain names.

The worm then contacts these domains in an attempt to download additional files onto the compromised computer.

Remove W32.Downadup:

Visit the Microsoft Website to fix the problem:
http://support.microsoft.com/kb/958644/en-us

You can also use antivirus software with latest updates to remove the worm quickly

Removal using the W32.Downadup Removal Tool
Symantec Security Response has developed a removal tool to clean the infections of W32.Downadup. Use this removal tool first, as it is the easiest way to remove this threat.

Manual Removal
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

  1. Disable System Restore (Windows Me/XP).
  2. Update the virus definitions.
  3. Run a full system scan.
  4. Delete any values added to the registry.
Advertisements