Home / malware Worm:W32/Downadup.A
First posted on 28 November 2008.
Source: SecurityHomeAliases :
There are no other names known for Worm:W32/Downadup.A.
Explanation :
A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.
right]Installation
Downadup is delivered in a DLL file. The file is dropped in the system directory as a random service, with a random file name.
Example:
- %systemroot%system32[...].dll
The malware then creates the following registry entries:
- HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices[...].dll
ImagePath = %SystemRoot%system32svchost.exe -k netsvcs
Under this Service Key is a "Parameters" Key with the following entry:
- Servicedll = %systemroot%system32[...].dll
Propagation
Once installed and active, Downadup connects to the following URLs to obtain the infected machine's IP address:
- http://www.getmyip.org
- http://getmyip.co.uk
- http://checkip.dyndns.org
The infected machine acts as a HTTP server, which then exploits the critical MS08-067 vulnerability to instruct a vulnerable target machine to download the infectious file. More information about this vulnerability is available from Microsoft at http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx.
Downloading
It may also download these files as part of its malicious routine:
- http://www.maxmind.com/download/geoip/[...]/GeoIP.dat.gz
- http://trafficconverter.biz/4vir/[...]/loadadv.exe
Last update 28 November 2008
