The Downadup (Kido, Conflicker) worm creates copies of itself in:
• %System%\[Random].dll
• %Program Files%\Internet Explorer\[Random].dll
• %Program Files%\Movie Maker\[Random].dll
• %All Users Application Data%\[Random].dll
• %Temp%\[Random].dll • %System%\[Random].tmp
• %Temp%\[Random].tmp
Note:[Random] represents random name.
Modifies time stamp of each file
Creates autorun.inf file in every partition with the following content
Open=RUNDLL32.EXE .\RECYCLER\jwgvsq.vmx
The worm may create the following files on removable and mapped drives:
%DriveLetter%\RECYCLER\S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d\[...].[3 random characters]
%DriveLetter%\autorun.inf
Once executed, the worm copies itself as the following file:
%System%\[RANDOM FILE NAME].dll
Next, the worm deletes any user-created System Restore points.
It creates the following service:
Name: netsvcs
ImagePath: %SystemRoot%\\system32\\svchost.exe -k netsvcs
Then the worm creates the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\"ServiceDll" = "[PathToWorm]"
The worm connects to the following URLs to obtain IP address of the compromised computer:
- [http://]www.getmyip.org
- [http://]getmyip.co.uk
- [http://]checkip.dyndns.org
Most of the antivirus and security related domains are blocked by this worm
for more detailed discription visit http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml.
removal tools:
McAfee Stinger: get stinger from this link
Symantec: get removal tool fr0m this link also visit this link for removal instructions
Fsecure: ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip
Fsecure: ftp://ftp.f-secure.com/anti-virus/tools/beta/fsmrt.zip (non specific tool)
Bitdefender: http://www.bdtools.net/
Trend Micro: http://www.trendmicro.com/ftp/products/pattern/spyware/fixtool/SysClean-WORM_DOWNAD.zip
Microsoft: http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
No comments:
Post a Comment