W32.Downadup.B

Risk Level 2: Low

Download Removal Tool | Printer Friendly Page

Discovered: December 30, 2008

Updated: March 24, 2009 12:05:35 PM

Also Known As: Worm:W32/Downadup.AL [F-Secure], Win32/Conficker.B [Computer Associates], W32/Confick-D [Sophos], WORM_DOWNAD.AD [Trend], Net-Worm.Win32.Kido.ih [Kaspersky], Conficker.D [Panda Software]

Type: Worm

Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

CVE References: CVE-2008-4250

W32.Downadup.B is a worm that spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874). It also attempts to spread to network shares protected by weak passwords and block access to security-related Web sites.

Note: After reviewing W32.Downadup.B, Symantec recommends reviewing details of W32.Downadup and W32.Downadup!autorun as well.

For more information, please read the following:

Protection

Initial Rapid Release version December 30, 2008 revision 021
Latest Rapid Release version February 5, 2010 revision 007
Initial Daily Certified version December 30, 2008 revision 024
Latest Daily Certified version February 5, 2010 revision 032
Initial Weekly Certified release date December 31, 2008

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

Wild Level: Medium
Number of Infections: 1000+
Number of Sites: 10+
Geographical Distribution: Medium
Threat Containment: Moderate
Removal: Moderate

Damage

Damage Level: Medium
Modifies Files: Modifies the tcpip.sys file.

Distribution

Distribution Level: Medium
Shared Drives: Attempts to spread to network shares protected by weak passwords.
Target of Infection: Spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874)

Writeup By: Sean Kiernan

Technical Details

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}