1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Home
  2. Security
  3. Security Lab
  4. Latest Threats
  5. Virus Descriptions
  6. Worm:W32/Downadup.A

Worm:W32/Downadup.A

Name : Worm:W32/Downadup.A
Detection Names : Worm:32/Downadup.A
Net-Worm.Win32.Kido
Category:Malware
Type:Worm
Platform:W32

Summary

A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.

Disinfection

Details


Process Changes
Creates these mutexes:

  • Global\%random%-%random%



Registry Modifications
Creates these keys:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%DLL_Name%
DisplayName = "[...]"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%DLL_Name%
Type = dword:00000020
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%DLL_Name%
Start = dword:00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%DLL_Name%
ErrorControl dword:00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%DLL_Name%
ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%DLL_Name%
ObjectName = "LocalSystem"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Nls
(Default) = dword:%Number%


Additional Details

Installation

Upon execution, it creates the following mutex as part of its installation:

  • Global\%Random%-%Random%

It then creates a copy of the file as %SystemDir%\%DLL_Name%.dll and changes the timestamp to match the timestamp on the file %SystemDir%\kernel32.dll.

The malware then modifies the registry and creates a number of registry keys, including a "Parameters" key under the service key with the entry:

  • Servicedll = %SystemRoot%\system32\[...].dll

It also modifies the following registry key:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
netsvcs = %previous data% and %random_dllname%

It then disables user created System Restore Points.

It may also attach itself to "services.exe".

Propagation

It connects to the following sites to get the %External_IP_address% of the infected system:

  • http://checkip.dyndns.org
  • http://getmyip.co.uk
  • http://www.getmyip.org

It then creates a HTTP server on the infected system on a random port:

  • http://%External_IP_address%:%Random_Port%

The malware tries to exploit systems susceptible to the critical MS08-067 vulnerability (see note); if the exploit is successful, the targeted system will download a copy of the malware (with a .jpeg extension) from the aforementioned HTTP server.

It creates the following registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Nls
(Default) = dword:%Number%

It also downloads and executes the following files when the system date is above "December 1, 2008":

  • http://trafficconverter.biz/4vir/antispyware/loadadv.exe

Fortunately, as of this writing, this URL is currently unavailable. We can only speculate regarding the real motive of the malware author. One point of interest is that the URL contains rogue antispyware-related strings. Profit on this sort of scheme is generated through affiliate programs used to promote these dubious antispyware products.

Downadup also downloads and executes the following files when the system date is above "November 25, 2008":

  • http://%predictable_domains_ipaddress%/search?q=%Number%&aq=7

Where %Number% is the number of systems the malware has successfully infected, and %predictable_domains_ipaddress% is a predictable domain that will be converted to an IP address.

It may connect to the following domains to obtain the current system date, which will then be used to generate predictable domains:

  • baidu.com
  • google.com
  • yahoo.com
  • msn.com
  • ask.com
  • w3.org

Examples of a predictable domain:

  • aconklcn.net
  • adnherho.com
  • afshu.info
  • aftzwhcjk.info
  • agiwjyx.biz
  • ahzvceeg.biz
  • aihbjawqll.info
  • andndjmts.com
  • arrqczqj.com
  • atffhfyr.info
  • bfhfa.org
  • bjamrxy.info
  • bkidqwqd.com
  • bkzdbmwqf.org
  • bpbokixgrr.com
  • bqbgqkx.org
  • btuzcgytmg.biz
  • buxbpcuhgks.biz
  • bwssb.info
  • byqibg.net
  • ciyqydagnbi.net
  • clhosan.biz
  • cpoqvn.org
  • cubbrbh.biz
  • cupgw.biz
  • cxqlmwgp.com
  • czkiptwai.info
  • dcpaiqzc.biz
  • dczokqhd.net
  • djlwuayzv.net
  • dpdszcxxw.net
  • dsfflhy.com
  • dvlzq.info
  • dwbxwdjvg.com
  • dynppafxww.biz
  • dzoibj.info
  • ecclfke.info
  • edgvfinrbc.net
  • epefw.biz
  • esmgvh.info
  • esotw.net
  • espvtm.net
  • exrudww.com
  • fbtbsshxtqc.com
  • fcwak.net
  • fdkpw.info
  • fntkbzdcdpp.net
  • fpabgx.info
  • fsbeui.biz
  • gbqxdo.com
  • gcqnhcxkubp.com
  • gdxsk.biz
  • germtbzda.com
  • glvnmc.net
  • gqsaoheic.biz
  • gquvqirf.org
  • gtgyzcq.net
  • gxffs.net
  • gxoli.com
  • gxxromkhtx.org
  • gyvdjzkd.info
  • hatveqxgn.info
  • hbdaaqpgj.biz
  • hdbvwlhmy.info
  • hdunbnus.org
  • hfhlitaauh.com
  • hfpmgvkimks.net
  • hhdecyyznvj.info
  • hkefcack.info
  • hlflxstgcs.net
  • hohwolepnvb.net
  • hojmuh.com
  • hxbrrbnrdet.net
  • hyrvvlt.org
  • hzfdvzal.org
  • hzxqfyuy.org
  • ihkifipkob.com
  • ijiwdbfe.net
  • ilmenn.org
  • inanwchr.org
  • ivscm.net
  • iwetmh.net
  • ixdrqyfm.info
  • ixukyfoyarg.com
  • iybkspozz.biz
  • jbaporuw.biz
  • jebzcbsaljz.biz
  • jjsajvu.com
  • jlispc.org
  • jlopa.net
  • jnuiamwb.biz
  • jospdiqg.info
  • jwdqzdqsj.net
  • kaiaw.info
  • kdgypwbe.biz
  • klefutkoadt.biz
  • kmpzc.org
  • kuffkactpj.biz
  • kuyinxdwg.net
  • kuylneworqs.info
  • lgjse.info
  • lidrjmqi.org
  • lnbslx.org
  • lpqpev.info
  • lqjrdrh.org
  • lrfyqneanck.org
  • ltkdit.biz
  • lxhru.biz
  • lxlwjany.info
  • maiow.biz
  • mawsezpa.com
  • mcmyhkzlf.org
  • mcngeewe.net
  • mgroq.info
  • mkpih.net
  • mlpuconaddf.net
  • mmrqzxju.org
  • mpqqqnp.com
  • munrulnyoxr.com
  • muvlf.net
  • mxjoextn.com
  • namvkxkdxmm.info
  • nbgsq.info
  • nbykxprbx.biz
  • neacdkow.com
  • nelkzm.net
  • nelxfbw.biz
  • nguxos.net
  • nkzwdb.org
  • npxmlclpzop.net
  • nwlovpsjku.biz
  • nxdcbqyism.info
  • nxekr.com
  • obopljobg.org
  • obzueobl.org
  • oepsmq.info
  • ohnviuwnuf.biz
  • oplqgkc.com
  • orvehkxvpo.biz
  • osbeaescr.biz
  • owqwsmcc.biz
  • pdesl.com
  • pdmqxeumc.info
  • pijtber.org
  • pisaonnpht.info
  • pkxsngzrc.com
  • ppdtaqaa.net
  • pwrkfyh.org
  • qazvsxhgloa.info
  • qcdfklazpwb.com
  • qcdkcghpyhj.net
  • qfszswn.com
  • qpcbthly.com
  • qpvxbhgdc.biz
  • qrmbw.info
  • qxnwhtob.com
  • qxynx.biz
  • rmzchhf.info
  • rncviqzt.info
  • rnsnpgtql.org
  • rofuirvnkq.info
  • rpvuyeiyo.biz
  • rwiqvdes.biz
  • rxnunynbalh.com
  • ryjincwdq.com
  • saewkwhy.info
  • sanpqayp.com
  • saywd.net
  • sbekp.com
  • sbywqb.com
  • sfgvicncwcs.net
  • sijrllxplcf.org
  • sjymarcq.com
  • skuwzlpa.info
  • slnzxx.biz
  • snmlvr.com
  • spvdkjdp.net
  • sqrffrncfm.biz
  • sqyjtz.biz
  • supwcqpn.org
  • tagumbpqa.com
  • tdgoyhpua.com
  • tfwiypsv.info
  • timpsb.com
  • toxckrmg.org
  • tshttkma.info
  • tsmaeeil.info
  • ttbcb.info
  • tuesiglpy.net
  • tzjxlmwzwr.com
  • ubtyckmg.com
  • ubuwka.biz
  • ufefitds.org
  • uflir.info
  • ugtfcacq.org
  • uolctymvtl.biz
  • usimkdlizxu.org
  • uswsaki.info
  • utazsru.net
  • uwhfgofog.biz
  • uxbxjt.biz
  • uxwtykgty.info
  • uxykdjpqp.org
  • vdovf.org
  • vfpbzy.biz
  • vxfuyk.com
  • waxet.info
  • wfgpaosz.org
  • wrmfc.com
  • wydpf.org
  • xdofi.com
  • xegmskqvmxs.info
  • xewkvyi.com
  • xfclsh.net
  • xfrxclyxj.com
  • xjvppmge.net
  • xkdvxketsn.net
  • xmirfew.com
  • xxwurg.org
  • xxzynv.com
  • ybgxlz.com
  • ybjmfmlzxf.org
  • ycvazaatojy.biz
  • yefcelcnl.biz
  • yeszvf.com
  • yezzqntd.org
  • yfaooxcwa.com
  • yiaswysd.net
  • ynsprbyapcg.biz
  • yopmwpnmzvg.net
  • yrhvlci.com
  • yvvnm.net
  • yvwhkimeub.com
  • ywzpzbypmgq.net
  • yxgoqcg.biz
  • yxljmzxmbm.com
  • zbuqkgqoeg.info
  • zcatwgmi.biz
  • zcpzbmii.info
  • zdimkl.org
  • zfvepki.net
  • zgvylvrxsj.com
  • zhmpqdetg.net
  • zkfnpv.com
  • zlxkgdkj.com
  • zmvpqfym.com
  • zpodrkmqg.net
  • zthmwctg.biz
  • zuiwain.info
  • zzuluunbcl.org

Note

Further information on the MS08-067 vulnerability is available from: