The worm may be downloaded or delivered silently through Web exploits and then executed.
Once executed, the worm copies itself as the following file and then deletes the file:
%Temp%\[RANDOM FILE NAME].exe
It then drops the following file and runs it as a randomly named service driver:
%System%\0[RANDOM FILE NAME].tmp
The driver modifies the following file in order to disable the half-open connections limit:
%System%\drivers\tcpip.sys
It also modifies the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"TcpNumConnections" = "00FFFFFE"
The worm removes the driver service from the compromised computer.
The worm creates the following registry entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Applets\"ds" = [ENCRYPTED DLL]
- HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Applets\"ds" = [ENCRYPTED DLL]
The worm then loads the encrypted DLLs from the registry into memory and drops a copy of
W32.Downadup.C as the following file:
%System%\000[RANDOM FILE NAME].tmp
It also checks for the existence of the following registry entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Applets\"xl"
- HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Applets\"xl"
The worm also connects to the following URL to get its IP address:
- http://checkip.dyndns.com
- http://checkip.dyndns.org
- http://www.findmyip.com
- http://www.findmyipaddress.com
- http://www.ipaddressworld.com
- http://www.ipdragon.com
- http://www.myipaddress.com
- http://www.whatsmyipaddress.com
The worm then creates an HTTP server on the compromised computer on a random TCP port. The worm then sends this URL to remote computers. If successful, the remote computer will then connect back to this URL and download the worm so that each exploited computer can spread the worm, instead of downloading the worm from a predetermined location.
Next, the worm connects to a UPnP router and opens the HTTP port.
It then attempts to locate the network device registered as the Internet gateway on the network and opens the previously mentioned random TCP port, allowing access to the compromised computer from external networks.
The worm spreads by exploiting the
Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874).
Next, the worm periodically contacts the following sites to check the speed of the current Internet connection:
- http://myspace.com
- http://msn.com
- http://ebay.com
- http://cnn.com
- http://aol.com
On May 3, 2009, the worm sets itself to be removed when the computer restarts. This does not remove the dropped copy of
W32.Downadup.C.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
