Home > Uncategorized > Downadup Worm Affects More Than 10 million PCs Worldwide, Biggest Botnet Ever?

Downadup Worm Affects More Than 10 million PCs Worldwide, Biggest Botnet Ever?

February 16th, 2009 Leave a comment Go to comments

My suggestion :
I would urgently advise you to download Microsoft’s new malicious software removal tool (available here) to check whether there is any malware on your computer. also here’s the removal tool which is developed by bitdefender removal tool and its Free 🙂

To remove Win32.Worm.Downadup follow these steps:
1. disable System Restore
2. download and install MS08-067 vulnerability patch from here
3. download the removal tool by microsoft from here
3. unplug your network cable or disable your network device
4. run the removal tool developed by BitDefender Labs.

About Win32.worm.Downadup :
Win32.Worm.Downadup, a worm which spreads by
exploiting a vulnerability in the Windows RPC Server Service, has been
detected by BitDefender . The Downloadup (also called Conficker or
Kido) worm itself is nothing new. It made its first appearance late
November 2008, exploiting the MS08-067 vulnerability to spread
unhindered in local area networks. Its purpose was to install rogue
security software on infected computers.

In late December, BitDefender Labs uncovered a new version of the worm
called Win32.Worm.Downadup.B. The malware comes with a list of new
features, aside from the present spreading routine, which has shown
signs of improvement.

The worm now uses USB sticks to spread. By copying itself in a random
folder created inside the RECYCLER directory, used by the Recycle Bin
to store deleted files, and creating an autorun.inf file in the root
folder of the drive, the worm automatically executes if the Autorun
feature is enabled.

The worm also patched certain TCP functions to block access to
security- related websites by filtering every address that contains
certain strings. This makes it harder to remove since information about
it is nearly impossible to gather from an infected computer.
Additionally, it removes all access rights of the user, except execute
and directory usage, to protect its files.

The worm is also built to avoid antivirus detection by working with
rarely used APIs in order to avoid virtualization technologies. It
disables Windows updates and certain network traffic, optimizing
Vistafeatures to ease its spreading.

Win32.Worm.Downadup.B comes with a domain name generation algorithm
similar to the one found in botnets like Rustock. It composes 250
domains every day and checks for updates or other files to download and
install.

Share
  1. No comments yet.
  1. No trackbacks yet.