Editor’s Note: This is another installment of a multi-part series on specific and interesting aspects of W32.Downadup.
We know that W32.Downadup.B is aggressive when it comes to infecting computers. So, let’s talk about some of the tricks it uses to stay on a computer once an infection is successful. One of our test computers was infected with W32.Downadup.B. I scanned it with an old original shipping version of Norton Antivirus (2006) and the following error message appeared:
A process on the computer has “locked” the file, which prevents anybody else from accessing it. Now, antivirus software has many ways of getting around this sort of lock. Why isn't it working here?
When W32.Downadup.B infected this computer, we saw it drop the file C:\WINDOWS\system32\rkabg.dll and then watched it install itself as a service (in this case as “bmumwkvn”) in the netsvcs service group. So, I should be able to unlock the file by stopping this service:
However, the service was already stopped. A closer look at the running services and processes on my computer reveals nothing suspicious, but something must be maintaining that lock. Process Explorer from Sysinternals (now a part of Microsoft) has a useful feature to find which process is accessing a file:
Svchost.exe—the process that hosts the service created by W32.Downadup.B—is holding the lock and running, even though the W32.Downadup.B specific service isn't stopped. Some further analysis reveals that the W32.Downadup.B service runs when the computer boots. It then injects code into the service host before unloading itself. This trick works against a surprising array of different antivirus software.
After closing the file handle in Process Explorer, the scan works as expected:
So, while this may have been an issue in 2006, up-to-date versions of Symantec’s products no longer have this issue. Unfortunately for this and other threats, those users with un-patched older products are alerted anyway (even without the signature detecting the threat) due to the fact the file is locked.
Don’t forget—if you believe your computer may be infected with Downadup and are having trouble detecting and removing it, you can always download our free fixtool.
This blog series on W32.Downadup will be continued. Keep up-to-date with the analysis by subscribing to the Symantec Security Response Blog RSS feed (http://www.symantec.com/xml/rss/srblogs.jsp).