Virus identified worm/downadup

A hidden Autorun. A randomly named Windows service appears in the list of services to start automatically during system boot. We use cookies and other tracking technologies to improve our website and your web experience. To learn more, please read our Privacy Policy. It checks for a suitable computer around the network using NetServerEnum, then attempts to log on to any found computer with one of the following login credentials:.

It then creates a scheduled daily job on the remote server, in order to execute the following command:. A for additional details. The worm is also able to propagate by downloading a copy of itself onto other machines vulnerable to an exploit of the critical MS vulnerability.

Creating the HTTP server allows the malware to send out specially crafted packets exploit code from the infected machine to other machines. If the exploit is successful, the targeted machine is forced to download a copy of the malware from the first infected machine. Downadup is capable of downloading files onto the infected system.

First, the worm connects to one of the following domains to obtain the current system date:. The obtained system date is used to generate a list of domains where the malware can download additional files.

It then verifies whether the current date is at least 1 January If so, it downloads and execute files from:. The worm deletes a number of keys from the registry, in order to deactivate the Security Center Notifications and prevent Windows Defender from starting. It also bypasses the Windows Firewall by creating the following registry entry, so that the system can download a copy of the worm:. To hide its presence in the system, the worm deletes any System Restore points created by the user, then modifies the following registry keys:.

The TMP file created is registered as a service kernel driver using the following registry entry:. Javascript is disabled in your web browser For full functionality of this site it is necessary to enable JavaScript. Classification Category :. Type :. Please do this step only if you know how or you can ask assistance from your system administrator.

Else, check this Microsoft article first before modifying your computer's registry. Delete this registry value [ Learn More ] [ back ] Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Restore these modified registry values [ Learn More ] [ back ] Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction.

Please do this only if you know how to or you can seek your system administrator's help. You may also check out this Microsoft article first before modifying your computer's registry. INF files created:. Search and delete these folders [ Learn More ] [ back ] Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.

Porras et al. This explanation is widely accepted in the cybersecurity field. In , working with the FBI, Ukrainian police arrested three Ukrainians in relation to Conficker, but there are no records of them being prosecuted or convicted.

A Swede, Mikael Sallnert, was sentenced to 48 months in prison in the U. Due to the lock of the virus files against deletion as long as the system is running, the manual or automatic removal itself has to be performed during boot process or with an external system installed. Deleting any existing backup copy is a crucial step. Microsoft released a removal guide for the virus, and recommended using the current release of its Windows Malicious Software Removal Tool to remove the virus, then applying the patch to prevent re-infection.

Newer versions of Windows are immune to Conficker. Many third-party anti-virus software vendors have released detection updates to their products and claim to be able to remove the worm. The evolving process of the malware shows some adoption to the common removal software, so it is likely that some of them might remove or at least disable some variants, while others remain active or, even worse, deliver a false positive to the removal software and become active with the next reboot.

On 27 March , Felix Leder and Tillmann Werner from the Honeynet Project discovered that Conficker-infected hosts have a detectable signature when scanned remotely. The peer-to-peer command protocol used by variants D and E of the virus has since been partially reverse-engineered, allowing researchers to imitate the virus network's command packets and positively identify infected computers en-masse.

It can also be detected in passive mode by sniffing broadcast domains for repeating ARP requests. Prior to the release of Microsoft knowledgebase article KB, US-CERT described Microsoft's guidelines on disabling Autorun as being "not fully effective" and provided a workaround for disabling it more effectively.

US-CERT has also made a network-based tool for detecting Conficker-infected hosts available to federal and state agencies. Viruses Information Wiki Explore. Wiki Content. Templates Candidates for deletion Stubs Unattributed files Hatnote templates with errors Pages with broken file links.