Discovered: December 30, 2008
Updated: March 24, 2009 12:05:35 PM
Also Known As: Worm:W32/Downadup.AL [F-Secure], Win32/Conficker.B [Computer Associates], W32/Confick-D [Sophos], WORM_DOWNAD.AD [Trend], Net-Worm.Win32.Kido.ih [Kaspersky], Conficker.D [Panda Software]
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
W32.Downadup.B is a worm that spreads by exploiting the
Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874). It also attempts to spread to network shares protected by weak passwords and block access to security-related Web sites.
Note: After reviewing W32.Downadup.B, Symantec recommends reviewing details of
W32.Downadup and
W32.Downadup!autorun as well.
For more information, please read the following: Protection
-
Initial Rapid Release version December 30, 2008 revision 021
-
Latest Rapid Release version June 4, 2009 revision 050
-
Initial Daily Certified version December 30, 2008 revision 024
-
Latest Daily Certified version June 5, 2009 revision 022
-
Initial Weekly Certified release date December 31, 2008
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
-
Wild Level: Medium
-
Number of Infections: 1000+
-
Number of Sites: 10+
-
Geographical Distribution: Medium
-
Threat Containment: Moderate
-
Removal: Moderate
Damage
-
Damage Level: Medium
-
Modifies Files: Modifies the tcpip.sys file.
Distribution
-
Distribution Level: Medium
-
Shared Drives: Attempts to spread to network shares protected by weak passwords.
-
Target of Infection: Spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874)
Writeup By: Sean Kiernan
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
