Worm:W32/Downadup.DY

Infection

Upon execution, the worm creates copies of itself in the following locations:

• %System%\[Random].dll
• %Program Files%\Internet Explorer\[Random].dll
• %Program Files%\Movie Maker\[Random].dll
• %Program Files%\Windows Media Player\[Random].dll
• %Program Files%\Windows NT\[Random].dll
• %Application Data%\[Random].dll
• %Temp%\[Random].dll

Note: [Random] represents a algorithmically generated name..

The worm disables a number of system features in order to facilitate its activities. It disables the following Windows services:

• Windows Automatic Update Service (wuauserv)
• Background Intelligent Transfer Service (BITS)
• Windows Security Center Service (wscsvc)
• Windows Defender Service (WinDefend)
• Windows Error Reporting Service (ERSvc)
• Windows Error Reporting Service (WerSvc)

The worm also hooks the following API's in order to block access when the user attempts to access a long list of domains:

• DNS_Query_UTF8
• DNS_Query_W
• Query_Main
• sendto

If the user attempts to access the following, primarily security-related domains, their access is blocked:

• agnitum
• ahnlab
• anti-
• antivir
• arcabit
• avast
• avgate
• avira
• bothunter
• castlecops
• ccollomb
• centralcommand
• clamav
• comodo
• computerassociates
• conficker
• cpsecure
• cyber-ta
• defender
• downad
• drweb
• dslreports
• emsisoft
• esafe
• eset
• etrust
• ewido
• f-prot
• f-secure
• fortinet
• free-av
• freeav
• gdata
• grisoft
• hackerwatch
• hacksoft
• hauri
• ikarus
• jotti
• k7computing
• kaspersky
• kido
• malware
• mcafee
• microsoft
• mirage
• msftncsi
• msmvps
• mtc.sri
• networkassociates
• nod32
• norman
• norton
• onecare
• panda
• pctools
• prevx
• ptsecurity
• quickheal
• removal
• rising
• rootkit
• safety.live
• securecomputing
• secureworks
• sophos
• spamhaus
• spyware
• sunbelt
• symantec
• technet
• threat
• threatexpert
• trendmicro
• trojan
• virscan
• virus
• wilderssecurity
• windowsupdate
• avg
• avp
• bit9
• ca
• cert
• gmer
• kav
• llnw
• llnwd
• msdn
• msft
• nai
• sans

Downloads

Downadup is capable of downloading files onto the infected system. First, the worm connects to one of the following domains to obtain the current system date:

• baidu.com
• google.com
• yahoo.com
• ask.com
• w3.org
• facebook.com
• imageshack.us
• rapidshare.com

The obtained system date is used to generate a list of domains where the worm then attempts to download additional files.

It then verifies whether the current date is at least April 1, 2009. If so, it downloads and execute files from:

• http://%predictable_domains_ipaddress%

Note: %PredictableDomainsIPAddress% are the domains generated based on the system date.

Registry

It creates the following registry entries:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[servicekeyname] DisplayName = %servicedisplayname% Type = dword:00000020 Start = dword:00000002 ErrorControl = dword:00000000 ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs" ObjectName = "LocalSystem" Description = %description%
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[servicekeyname]\Parameters ServiceDll = %path_of_malware%

Note: %servicedisplayname% represents a two word combination taken from a list of the following words:

• Audit
• Backup
• Boot
• Browser
• Center
• Component
• Config
• Control
• Discovery
• Driver
• Event
• Framework
• Hardware
• Helper
• Image
• Installer
• Logon
• Machine
• Management
• Manager
• Microsoft
• Monitor
• Network
• Notify
• Power
• Security
• Server
• Shell
• Storage
• Support
• System
• Task
• Time
• Trusted
• Universal
• Update
• Windows

Note: %servicekeyname% represents a combination of two words taken from a list of the following words:.

1st Word

• App
• Audio
• DM
• ER
• Event
• help
• Ias
• Ir
• Lanman
• Net
• Ntms
• Ras
• Remote
• Sec
• SR
• Tapi
• Trk
• W32
• win
• Wmdm
• Wmi
• wsc
• wuau
• xml

2nd Word

• access
• agent
• auto
• logon
• man
• mgmt
• mon
• prov
• serv
• Server
• Service
• Srv
• srv
• Svc
• svc
• System
• Time

The worm modifies the following registry entry and inserts the %servicekeyname%:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost, netsvcs = <%previous data% + %servicekeyname%>

It also create the following registry autorun entry:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run = rundll32.exe "%path_of_malware%", [random]
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run = rundll32.exe "%path_of_malware%", [random]

It deletes the following registry key to Deactivate Security Center Notifications:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}

It also deletes the following registry value to disable Windows Defender from startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, Windows Defender

It deletes the following registry to prevent from restating in safe mode:

• HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot

Downadup.DY also deletes any System Restore points created by the user.

Process Termination

It terminates processes that contains any of the following strings:

• autoruns
• avenger
• confick
• downad
• filemon
• gmer
• hotfix
• kb890
• kb958
• kido
• klwk
• mbsa.
• mrt.
• mrtstub
• ms08-06
• procexp
• procmon
• regmon
• scct_
• sysclean
• tcpview
• unlocker
• wireshark

P2P Network

The worm connects itself to a peer-to-peer network. A significant number of UDP connections can be observed when the worm is attempting to connect to its P2P network..