/
Security Response/
W32.Downadup

W32.Downadup

Risk Level 2: Low

Download Removal Tool|Printer Friendly Page|Rate this page

Discovered:: November 21, 2008
Updated:: May 20, 2013 4:52:53 PM
Also Known As:: Win32/Conficker.A [Computer Associates], W32/Downadup.A [F-Secure], Conficker.A [Panda Software], Net-Worm.Win32.Kido.bt [Kaspersky], WORM_DOWNAD.AP [Trend], W32/Conficker [Norman]
Type:: Worm
Infection Length:: Varies
Systems Affected:: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
CVE References:: CVE-2008-4250

W32.Downadup, also known as Conficker by some news agencies and antivirus vendors, is an extremely interesting piece of malicious code and one of the most prolific worms in recent years. It has an extremely large infection base – estimated to be upwards of 3 million computers - that have the potential to do a lot of damage. This is largely attributed to the fact that it is capable of exploiting computers that are running unpatched Windows XP SP2 and Windows 2003 SP1 systems. Other worms released over the past few years have largely targeted older system versions, which have an ever decreasing distribution.

Infection
W32.Downadup spreads primarily by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874), which was first discovered in late-October of 2008. It scans the network for vulnerable hosts, but instead of flooding it with traffic, it selectively queries various computers in an attempt to mask its traffic instead. It also takes advantage of Universal Plug and Play to pass through routers and gateways.

It also attempts to spread to network shares by brute-forcing commonly used network passwords and by copying itself to removable drives.

Functionality
It has the ability to update itself or receive additional files for execution. It does this by generating a large number of new domains to connect to every day. The worm may also receive and execute files through a peer-to-peer mechanism by communicating with other compromised computers, which are seeded into the botnet by the malware author.

The worm blocks access to predetermined security-related websites so that it appears that the network request timed out. Furthermore, it deletes registry entries to disable certain security-related software, prevent access to Safe Mode, and to disable Windows Security Alert notifications.

GEOGRAPHICAL DISTRIBUTION
Symantec has observed the following geographic distribution of this threat.

PREVALANCE
Symantec has observed the following infection levels of this threat worldwide.

SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.

Antivirus signatures

Antivirus (heuristic/generic)

Intrusion Prevention System

Antivirus Protection Dates

Initial Rapid Release version November 21, 2008 revision 052
Latest Rapid Release version February 19, 2013 revision 016
Initial Daily Certified version November 22, 2008 revision 003
Latest Daily Certified version February 19, 2013 revision 024
Initial Weekly Certified release date November 26, 2008

Click for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

Wild Level: Medium
Number of Infections: 1000+
Number of Sites: 10+
Geographical Distribution: Medium
Threat Containment: Moderate
Removal: Moderate

Damage

Damage Level: Medium
Payload: Downloads other files on to the compromised computer.
Degrades Performance: Downloading remote files may degrade network performance.

Distribution

Distribution Level: Medium
Target of Infection: Exploits a certain vulnerability.

Writeup By: Jarrad Shearer

Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm

STAR Antimalware Protection Technologies

Internet Security Threat Report, Volume 17

Symantec [+]
Norton [+]
- AntiVirus|
- Norton Store|
- Internet Security|
- Mac AntiVirus|
- Mobile Security|
- Norton|
- Spyware|
- Virus Protection|
- Virus Removal|
- Virus Scan
Website Security Solutions [+]
PC Tools [+]

PRODUCTS & SERVICES

POPULAR PRODUCTS

SOLUTIONS

HOW TO BUY

RESOURCES

COMMUNITIES: SYMANTEC CONNECT

Trust the Leader

Symantec SSL Certificates

PRODUCT SUPPORT

PRODUCT SUPPORT FOR ACQUIRED COMPANIES

LICENSING & ACCOUNT MANAGEMENT ASSISTANCE

BUSINESS SUPPORT RESOURCES

COMMUNITIES: SYMANTEC CONNECT

NORTON COMMUNITY

SOCIAL MEDIA

Information Unleashed

The Official Voice of Symantec

STAY SECURE

Updates

Repair

BE INFORMED

24/7 Reporting

Security Technology and Response

PUBLICATIONS

CONTACT US ABOUT

2013 Internet Security Threat Report

Symantec data and analysis on the threat landscape.

TRIALWARE

All Business Trialware

BUY ONLINE

Website Security Solutions

Shop All Business

SHOP NORTON

Most Popular

New Products

My Norton Product

See all Norton offerings

Double your peace of mind and save 15%

Endpoint Protection Small Business Edition 2013 + Backup Exec.cloud Bundle