Please see our Worm:W32/Downadup.gen description for disinfection information.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note You need administrative rights to change the settings.
Upon execution, the worm creates copies of itself in the following locations:
Note: [Random] represents a algorithmically generated name..
The worm disables a number of system features in order to facilitate its activities. It disables the following Windows services:
The worm also hooks the following API's in order to block access when the user attempts to access a long list of domains:
If the user attempts to access the following, primarily security-related domains, their access is blocked:
Downadup is capable of downloading files onto the infected system. First, the worm connects to one of the following domains to obtain the current system date:
The obtained system date is used to generate a list of domains where the worm then attempts to download additional files.
It then verifies whether the current date is at least April 1, 2009. If so, it downloads and execute files from:
Note: %PredictableDomainsIPAddress% are the domains generated based on the system date.
It creates the following registry entries:
Note: %servicedisplayname% represents a two word combination taken from a list of the following words:
Note: %servicekeyname% represents a combination of two words taken from a list of the following words:.
The worm modifies the following registry entry and inserts the %servicekeyname%:
It also create the following registry autorun entry:
It deletes the following registry key to Deactivate Security Center Notifications:
It also deletes the following registry value to disable Windows Defender from startup:
It deletes the following registry to prevent from restating in safe mode:
Downadup.DY also deletes any System Restore points created by the user.
It terminates processes that contains any of the following strings:
The worm connects itself to a peer-to-peer network. A significant number of UDP connections can be observed when the worm is attempting to connect to its P2P network..