GO TO: Summary | Removal | Technical Details
Worm:W32/Downadup, Net-Worm.Win32.Kido, Conficker
A standalone malicious program which uses computer or network resources to make complete copies of itself.
Note: The first two programs are command line tools, please read the text file included in the ZIP for additional details.
Downadup makes use of random extension names in order to avoid detection. During disinfection, scanning options should be set to:
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note You need administrative rights to change the settings.
Find the latest advice in our Community Knowledge Base.
See the user guide for your product on the Help Center.
Chat with or call an expert for help.
Submit a file or URL for further analysis.
Upon execution, it creates the following mutex as part of its installation:
It then creates a copy of the file as %systemdir%\[%random_dllname%].dll and changes timestamp to match the timestamp on the file %systemdir%\kernel32.dll.
The malware then modifies the registry and creates a number of registry keys, including a "Parameters" key under the service key with the entry:
It also modifies the following registry key:
It then disables user created System Restore Points.
It may also attach itself to "services.exe".
It connects to the following sites to get the %external_ip_address% of the infected system:
It then creates a http server on the infected system on a random port:
The malware tries to exploit systems susceptible to the critical MS08-067 vulnerability (see note); if the exploit is successful, the targeted system will download a copy of the malware (with a .jpeg extension) from the aforementioned http server.
It creates the following registry:
It also downloads and executes the following files when the system date is above "December 1, 2008":
Fortunately, as of this writing, this URL is currently unavailable. We can only speculate regarding the real motive of the malware author. One point of interest is that the URL contains rogue antispyware-related strings. Profit on this sort of scheme is generated through affiliate programs used to promote these dubious antispyware products.
Downadup also downloads and executes the following files when the system date is above "November 25, 2008":
where %Number% is the number of systems the malware has successfully infected, and %predictable_domains_ipaddress% is a predictable domain that will be converted to an IP address.
It may connect to the following domains to obtain the current system date, which will then be used to generate predictable domains:
Examples of a predictable domain:
Creates these mutexes:
Creates these keys:
Further information on the MS08 -67 vulnerability is available from Microsoft at: