A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.
Please see our Worm:W32/Downadup.gen description for disinfection information.
Upon execution, the worm creates copies of itself in the following locations:
- %Program Files%\Internet Explorer\[Random].dll
- %Program Files%\Movie Maker\[Random].dll
- %Program Files%\Windows Media Player\[Random].dll
- %Program Files%\Windows NT\[Random].dll
- %Application Data%\[Random].dll
Note: [Random] represents a algorithmically generated name..
The worm disables a number of system features in order to facilitate its activities. It disables the following Windows services:
- Windows Automatic Update Service (wuauserv)
- Background Intelligent Transfer Service (BITS)
- Windows Security Center Service (wscsvc)
- Windows Defender Service (WinDefend)
- Windows Error Reporting Service (ERSvc)
- Windows Error Reporting Service (WerSvc)
The worm also hooks the following API's in order to block access when the user attempts to access a long list of domains:
If the user attempts to access the following, primarily security-related domains, their access is blocked:
Downadup is capable of downloading files onto the infected system. First, the worm connects to one of the following domains to obtain the current system date:
The obtained system date is used to generate a list of domains where the worm then attempts to download additional files.
It then verifies whether the current date is at least April 1, 2009. If so, it downloads and execute files from:
Note: %PredictableDomainsIPAddress% are the domains generated based on the system date.
It creates the following registry entries:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[servicekeyname] DisplayName = %servicedisplayname% Type = dword:00000020 Start = dword:00000002 ErrorControl = dword:00000000 ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs" ObjectName = "LocalSystem" Description = %description%
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[servicekeyname]\Parameters ServiceDll = %path_of_malware%
Note: %servicedisplayname% represents a two word combination taken from a list of the following words:
Note: %servicekeyname% represents a combination of two words taken from a list of the following words:.
The worm modifies the following registry entry and inserts the %servicekeyname%:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost, netsvcs = <%previous data% + %servicekeyname%>
It also create the following registry autorun entry:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run = rundll32.exe "%path_of_malware%", [random]
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run = rundll32.exe "%path_of_malware%", [random]
It deletes the following registry key to Deactivate Security Center Notifications:
It also deletes the following registry value to disable Windows Defender from startup:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, Windows Defender
It deletes the following registry to prevent from restating in safe mode:
Downadup.DY also deletes any System Restore points created by the user.
It terminates processes that contains any of the following strings:
The worm connects itself to a peer-to-peer network. A significant number of UDP connections can be observed when the worm is attempting to connect to its P2P network..