F-Secure
Tools
Worm:W32/Downaduprun.A
| Name : | Worm:W32/Downaduprun.A |
| Detection Names : |
Worm:W32/Downaduprun.A |
| Category: | Malware |
| Type: | Worm |
| Platform: | W32 |
Summary
Worm:W32/Downaduprun.A detects the malicious autorun.inf file used by the Downadup network worm.
Additional Details
Worm:W32/Downaduprun.A is generic detection of Downadup worm autorun files. Recent versions of F-Secure software such as Internet Security 2009 and Client Security 8 are able to make this detection.
Downadup is a network worm. See the Worm:W32/Downadup.gen description for further details.
Downadup is able to spread itself using Windows Autorun functionality. The autorun.inf file used by Downadup is detected as Worm:W32/Downaduprun.A.
Typical Autorun.inf files are very small in size.
The Downadup worm inflates the size of its autorun.inf in an attempt to avoid detection by antivirus signature scanners. Binary characters are used to inflate the file size. These binary characters are ignored by the Windows operating system.
Windows will find the following command:
This command executes a DLL called jwgvsq.vmx from a hidden folder on the removable drive containing the malicious autorun.inf.
Downadup is a network worm. See the Worm:W32/Downadup.gen description for further details.
Downadup is able to spread itself using Windows Autorun functionality. The autorun.inf file used by Downadup is detected as Worm:W32/Downaduprun.A.
Typical Autorun.inf files are very small in size.
The Downadup worm inflates the size of its autorun.inf in an attempt to avoid detection by antivirus signature scanners. Binary characters are used to inflate the file size. These binary characters are ignored by the Windows operating system.
Windows will find the following command:
• Open=RUNDLL32.EXE .\RECYCLER\jwgvsq.vmx
This command executes a DLL called jwgvsq.vmx from a hidden folder on the removable drive containing the malicious autorun.inf.