Threat Description

Worm:​W32/Downadup.A

Details

Aliases: Worm:​W32/Downadup.A, Win32.Worm.Conficker.A, Worm:​32/Downadup.A, Net-Worm.Win32.Kido
Category: Malware
Type: Worm
Platform: W32

Summary



Worm:W32/Downadup exploits a vulnerability in the Windows Server service to spread copies of itself across a network. The worm also attempts to download files from a remote server.



Removal



See Worm:W32/Downadup.gen for disinfection instructions and tools.



Technical Details



Worm:W32/Downadup (also known as Conficker and Kido) spreads by exploiting the critical MS08-067 vulnerability in order to infect vulnerable computers accessible over a network.

The worm also attempts to download files from a remote site; at the time of writing, the site was unavailable. The motive for this behavior is unknown. One point of interest is that the URL contains rogue antispyware-related strings. Profit on rogueware-related schemes is generated through affiliate programs used to promote these dubious products.

For more information about the vulnerability, see SA32326: Microsoft Windows Server Service Vulnerability .

This worm sparked media interest both online and offline in 2009, when it was found to have infected millions of computers worldwide. Downadup is discussed in a number of our Labs Weblog postings, including:

Technical details for the worm are available below. Further details are also available in the following related descriptions:

Installation

Upon execution, it creates the following mutex as part of its installation:

  • Global\%Random%-%Random%

It then creates a copy of the file as %SystemDir%\%DLL_Name%.dll and changes the timestamp to match the timestamp on the file %SystemDir%\kernel32.dll.

The malware then modifies the registry and creates a number of registry keys

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%DLL_Name% DisplayName = "[...]"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%DLL_Name% Type = dword:00000020
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%DLL_Name% Start = dword:00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%DLL_Name% ErrorControl dword:00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%DLL_Name% ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%DLL_Name% ObjectName = "LocalSystem"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Nls (Default) = dword:%Number%

Including a "Parameters" key under the service key with the entry:

  • Servicedll = %SystemRoot%\system32\[...].dll

It also modifies the following registry key:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost netsvcs = %previous data% and %random_dllname%

It then disables user created System Restore Points.

It may also attach itself to "services.exe".

Propagation

It connects to the following sites to get the %External_IP_address% of the infected system:

  • http://checkip.dyndns.org
  • http://getmyip.co.uk
  • http://www.getmyip.org

It then creates a HTTP server on the infected system on a random port:

  • http://%External_IP_address%:%Random_Port%

The malware tries to exploit systems susceptible to the critical MS08-067 vulnerability; if the exploit is successful, the targeted system will download a copy of the malware (with a .jpeg extension) from the aforementioned HTTP server.

It creates the following registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Nls (Default) = dword:%Number%

Download

Downadup downloads and executes the following files when the system date is above "December 1, 2008":

  • http://trafficconverter.biz/4vir/antispyware/loadadv.exe

Fortunately, as of this writing, this URL is currently unavailable.

Downadup also downloads and executes the following files when the system date is above "November 25, 2008":

  • http://%predictable_domains_ipaddress%/search?q=%Number%&aq=7

Where %Number% is the number of systems the malware has successfully infected, and %predictable_domains_ipaddress% is a predictable domain that will be converted to an IP address.

It may connect to the following domains to obtain the current system date, which will then be used to generate predictable domains:

  • baidu.com
  • google.com
  • yahoo.com
  • msn.com
  • ask.com
  • w3.org

Examples of a predictable domain:

  • aconklcn.net
  • adnherho.com
  • afshu.info
  • aftzwhcjk.info
  • agiwjyx.biz
  • ahzvceeg.biz
  • aihbjawqll.info
  • andndjmts.com
  • arrqczqj.com
  • atffhfyr.info
  • bfhfa.org
  • bjamrxy.info
  • bkidqwqd.com
  • bkzdbmwqf.org
  • bpbokixgrr.com
  • bqbgqkx.org
  • btuzcgytmg.biz
  • buxbpcuhgks.biz
  • bwssb.info
  • byqibg.net
  • ciyqydagnbi.net
  • clhosan.biz
  • cpoqvn.org
  • cubbrbh.biz
  • cupgw.biz
  • cxqlmwgp.com
  • czkiptwai.info
  • dcpaiqzc.biz
  • dczokqhd.net
  • djlwuayzv.net
  • dpdszcxxw.net
  • dsfflhy.com
  • dvlzq.info
  • dwbxwdjvg.com
  • dynppafxww.biz
  • dzoibj.info
  • ecclfke.info
  • edgvfinrbc.net
  • epefw.biz
  • esmgvh.info
  • esotw.net
  • espvtm.net
  • exrudww.com
  • fbtbsshxtqc.com
  • fcwak.net
  • fdkpw.info
  • fntkbzdcdpp.net
  • fpabgx.info
  • fsbeui.biz
  • gbqxdo.com
  • gcqnhcxkubp.com
  • gdxsk.biz
  • germtbzda.com
  • glvnmc.net
  • gqsaoheic.biz
  • gquvqirf.org
  • gtgyzcq.net
  • gxffs.net
  • gxoli.com
  • gxxromkhtx.org
  • gyvdjzkd.info
  • hatveqxgn.info
  • hbdaaqpgj.biz
  • hdbvwlhmy.info
  • hdunbnus.org
  • hfhlitaauh.com
  • hfpmgvkimks.net
  • hhdecyyznvj.info
  • hkefcack.info
  • hlflxstgcs.net
  • hohwolepnvb.net
  • hojmuh.com
  • hxbrrbnrdet.net
  • hyrvvlt.org
  • hzfdvzal.org
  • hzxqfyuy.org
  • ihkifipkob.com
  • ijiwdbfe.net
  • ilmenn.org
  • inanwchr.org
  • ivscm.net
  • iwetmh.net
  • ixdrqyfm.info
  • ixukyfoyarg.com
  • iybkspozz.biz
  • jbaporuw.biz
  • jebzcbsaljz.biz
  • jjsajvu.com
  • jlispc.org
  • jlopa.net
  • jnuiamwb.biz
  • jospdiqg.info
  • jwdqzdqsj.net
  • kaiaw.info
  • kdgypwbe.biz
  • klefutkoadt.biz
  • kmpzc.org
  • kuffkactpj.biz
  • kuyinxdwg.net
  • kuylneworqs.info
  • lgjse.info
  • lidrjmqi.org
  • lnbslx.org
  • lpqpev.info
  • lqjrdrh.org
  • lrfyqneanck.org
  • ltkdit.biz
  • lxhru.biz
  • lxlwjany.info
  • maiow.biz
  • mawsezpa.com
  • mcmyhkzlf.org
  • mcngeewe.net
  • mgroq.info
  • mkpih.net
  • mlpuconaddf.net
  • mmrqzxju.org
  • mpqqqnp.com
  • munrulnyoxr.com
  • muvlf.net
  • mxjoextn.com
  • namvkxkdxmm.info
  • nbgsq.info
  • nbykxprbx.biz
  • neacdkow.com
  • nelkzm.net
  • nelxfbw.biz
  • nguxos.net
  • nkzwdb.org
  • npxmlclpzop.net
  • nwlovpsjku.biz
  • nxdcbqyism.info
  • nxekr.com
  • obopljobg.org
  • obzueobl.org
  • oepsmq.info
  • ohnviuwnuf.biz
  • oplqgkc.com
  • orvehkxvpo.biz
  • osbeaescr.biz
  • owqwsmcc.biz
  • pdesl.com
  • pdmqxeumc.info
  • pijtber.org
  • pisaonnpht.info
  • pkxsngzrc.com
  • ppdtaqaa.net
  • pwrkfyh.org
  • qazvsxhgloa.info
  • qcdfklazpwb.com
  • qcdkcghpyhj.net
  • qfszswn.com
  • qpcbthly.com
  • qpvxbhgdc.biz
  • qrmbw.info
  • qxnwhtob.com
  • qxynx.biz
  • rmzchhf.info
  • rncviqzt.info
  • rnsnpgtql.org
  • rofuirvnkq.info
  • rpvuyeiyo.biz
  • rwiqvdes.biz
  • rxnunynbalh.com
  • ryjincwdq.com
  • saewkwhy.info
  • sanpqayp.com
  • saywd.net
  • sbekp.com
  • sbywqb.com
  • sfgvicncwcs.net
  • sijrllxplcf.org
  • sjymarcq.com
  • skuwzlpa.info
  • slnzxx.biz
  • snmlvr.com
  • spvdkjdp.net
  • sqrffrncfm.biz
  • sqyjtz.biz
  • supwcqpn.org
  • tagumbpqa.com
  • tdgoyhpua.com
  • tfwiypsv.info
  • timpsb.com
  • toxckrmg.org
  • tshttkma.info
  • tsmaeeil.info
  • ttbcb.info
  • tuesiglpy.net
  • tzjxlmwzwr.com
  • ubtyckmg.com
  • ubuwka.biz
  • ufefitds.org
  • uflir.info
  • ugtfcacq.org
  • uolctymvtl.biz
  • usimkdlizxu.org
  • uswsaki.info
  • utazsru.net
  • uwhfgofog.biz
  • uxbxjt.biz
  • uxwtykgty.info
  • uxykdjpqp.org
  • vdovf.org
  • vfpbzy.biz
  • vxfuyk.com
  • waxet.info
  • wfgpaosz.org
  • wrmfc.com
  • wydpf.org
  • xdofi.com
  • xegmskqvmxs.info
  • xewkvyi.com
  • xfclsh.net
  • xfrxclyxj.com
  • xjvppmge.net
  • xkdvxketsn.net
  • xmirfew.com
  • xxwurg.org
  • xxzynv.com
  • ybgxlz.com
  • ybjmfmlzxf.org
  • ycvazaatojy.biz
  • yefcelcnl.biz
  • yeszvf.com
  • yezzqntd.org
  • yfaooxcwa.com
  • yiaswysd.net
  • ynsprbyapcg.biz
  • yopmwpnmzvg.net
  • yrhvlci.com
  • yvvnm.net
  • yvwhkimeub.com
  • ywzpzbypmgq.net
  • yxgoqcg.biz
  • yxljmzxmbm.com
  • zbuqkgqoeg.info
  • zcatwgmi.biz
  • zcpzbmii.info
  • zdimkl.org
  • zfvepki.net
  • zgvylvrxsj.com
  • zhmpqdetg.net
  • zkfnpv.com
  • zlxkgdkj.com
  • zmvpqfym.com
  • zpodrkmqg.net
  • zthmwctg.biz
  • zuiwain.info
  • zzuluunbcl.org





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More