Downadup Installs a service under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\ netsvcs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BadServiceName
This service is most of the time a .dll file [We need to submit this one if not already detected by SEP]
The service uses MS task scheduler to create multiple jobs
These jobs executes a file rundll32.exe random_name.random_ext <args> at random interval
These extensions are not always .dll it could be anything [i.e. .ifs,. jpg, .tmp, .c]
In task manager we’ll see multiple rundll32.exe running
That file in most cases detected by SEP not we need to submit that file.
to submit the files go to
https://submit.symantec.com/gold