Discovered: November 21, 2008
Updated: June 07, 2019 3:54:06 PM
Also Known As: Win32/Conficker.A [Computer Associates], W32/Downadup.A [F-Secure], Conficker.A [Panda Software], [Kaspersky], WORM_DOWNAD.AP [Trend], W32/Conficker [Norman]
Type: Worm
Infection Length: Varies
Systems Affected: Windows
CVE References: CVE-2008-4250

W32.Downadup, also known as Conficker by some news agencies and antivirus vendors, is an extremely interesting piece of malicious code and one of the most prolific worms in recent years. It has an extremely large infection base – estimated to be upwards of 3 million computers - that have the potential to do a lot of damage. This is largely attributed to the fact that it is capable of exploiting computers that are running unpatched Windows XP SP2 and Windows 2003 SP1 systems. Other worms released over the past few years have largely targeted older system versions, which have an ever decreasing distribution.

W32.Downadup spreads primarily by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874), which was first discovered in late-October of 2008. It scans the network for vulnerable hosts, but instead of flooding it with traffic, it selectively queries various computers in an attempt to mask its traffic instead. It also takes advantage of Universal Plug and Play to pass through routers and gateways.

It also attempts to spread to network shares by brute-forcing commonly used network passwords and by copying itself to removable drives.

It has the ability to update itself or receive additional files for execution. It does this by generating a large number of new domains to connect to every day. The worm may also receive and execute files through a peer-to-peer mechanism by communicating with other compromised computers, which are seeded into the botnet by the malware author.

The worm blocks access to predetermined security-related websites so that it appears that the network request timed out. Furthermore, it deletes registry entries to disable certain security-related software, prevent access to Safe Mode, and to disable Windows Security Alert notifications.

Symantec has observed the following geographic distribution of this threat.


Symantec has observed the following infection levels of this threat worldwide.

The following content is provided by Symantec to protect against this threat family.

Antivirus signatures

Antivirus (heuristic/generic)

Intrusion Prevention System

Antivirus Protection Dates

  • Initial Rapid Release version November 21, 2008 revision 052
  • Latest Rapid Release version September 09, 2019 revision 021
  • Initial Daily Certified version November 22, 2008 revision 003
  • Latest Daily Certified version August 12, 2019 revision 001
  • Initial Weekly Certified release date November 26, 2008

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Technical Description

1. Prevention and avoidance
1.1 User behavior and precautions
1.2 Patch operating system and software
1.3 Network shares
2. Infection method
2.1 Remotely exploitable vulnerability
2.2 Removable drives
2.3 Network shares
2.4 Universal Plug and Play
2.5 Peer-to-peer payload distribution
3. Functionality
3.1 Installation
3.2 System modifications
3.3 Network activity
3.4 Additional Functionality
4. Additional information

The following actions can be taken to avoid or minimize the risk from this threat.

1.1 User behavior and precautions
Downadup uses AutoRun to spread, which is the name given to a feature of Windows that allows an executable to run automatically when a drive is accessed. It copies itself and an accompanying configuration file called autorun.inf to removable drives. Autorun.inf is simply a text file that contains information that specifies how the file should be displayed, along with options for its execution. This means that the worms are able to spread when the drives are inserted into a computer.

This feature should be disabled so that removable devices do not execute when they are inserted into a computer. It should be noted that the AutoRun feature is disabled by default for non-optical removable drives in recent versions of Windows and on systems with certain updates applied.

Removable drives should also be disconnected when not required and if write access is not required, enable the read-only mode if the option is available on the drive.

1.2 Patch operating system and software
Users are advised to ensure that their operation systems and any installed software are fully patched, antivirus and firewall software are up to date and operational. Users are recommended to turn on automatic updates if available so that their computers can receive the latest patches and updates when they are made available.

This threat is known to be spread by exploiting certain vulnerabilities. Installation of the following patch will reduce the risk to your computer.

Microsoft Security Bulletin MS08-067

1.3 Network shares
This threat is also known to spread inside large network by using shares, the following steps can help protect your computer against this threat.

  • Users are advised to ensure that all network shares are only opened when they are necessary for use.
  • Use a strong password to guard any shared folders or accounts. A strong password is a password that is of sufficient length of 8 or more characters. The password should also use a combination of numeric, capital, lowercase characters, and symbols. Commonly used words from everyday language should not be used as they may easily be defeated by a dictionary attack.

W32.Downadup is the most prolific worm in recent times, initially spreading rapidly when the first variant appeared to possibly more than 500,000 computers.

2.1 Remotely exploitable vulnerability
It uses a remote procedure call (RPC) exploit as its main vector for propagation. This exploit is only effective against computers that have not applied the patch for the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874), targeting TCP port 445 to exploit the issue, and if it successfully exploits the issue, the worm then creates an HTTP server on the compromised computer on a random port, for example:

The worm then sends this URL as part of its payload to remote computers. Upon successful exploitation, the remote computer will then connect back to this URL and download the worm.

In addition, the ability to exploit the vulnerability requires knowledge of both the operating system (OS) version (e.g. Windows XP vs. Windows 2003) and the language of the targeted computer.

The threat determines the version of Windows the remote host is running by fingerprinting the remote host by sending an SMB Session Setup Request. It then determines the language by using IP geo-location. By looking up the remote machine's IP address in the geo-location information, Downadup is able to match the IP address to a country and then maps that country to a particular language. Downadup's geo-location data appears more effective for certain countries, such as China and Argentina.

People using illegal copies of Windows are more likely to disable automatic updates from Microsoft making it highly unlikely that many of these users are manually installing critical updates, such as MS08-067, which is the update for the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability, increasing the number of computers that can be infected.

However, a limiting factor to its success was that its propagation routine depended on a publicly available GeoIP data file used to determine IP location. When the GeoIP service providers decided to remove it from the location called by the worm, the absence of this file made it difficult for the worm to spread as rapidly, reducing its propagation capacity local networks already infected.

To circumvent this minor setback, the Downadup authors then created a new variant — W32.Downadup.B — that contained the missing GeoIP capability. They also added the ability to copy itself to removable drives, network shares protected by weak passwords, and takes advantage of Universal Plug and Play to pass through routers and gateways.

2.2 Removable drives
Downadup copies itself to removable drives as a random file name and also copies an autorun.inf file to the drive so that it runs every time the drive is inserted into a computer. It also uses a social engineering technique to trick the user into running the file. The malware author makes the executable worm file look like an innocent folder. Unsuspecting users will then double click on the folder icon thinking that it indeed is a folder, rather than the executable file that it is.

Most users just double click on the pop-up box that appears when they insert a removable drive into a computer without reading the pop-up box carefully. But even those that are savvy computer uses and read the pop-up box carefully may still be mislead into thinking that they are opening a folder instead of actually running a file.

2.3 Network shares
Downadup attempts to copy itself to other machines using the administrative network share (ADMIN$) that exists by default on Microsoft Windows machines. It enumerates all of the servers in the network by making a NetServerEnum request, which returns all of the visible Windows machines on the network. Downadup then attempts to infect each of these machines.

To become authenticated, the credentials of the locally logged-on user are tried first. However, if that does not work, Downadup begins trying different user name and password pairs.

The remote server is queried for all of the user names available. Fortunately, most Windows XP and later systems will not provide this information by default and in those cases all of the user names on the local machine will be used instead. The worm then tries to connect to the remote server with each user name and a variety of passwords that include the user name, the user name concatenated together twice (e.g. joesmithjoesmith), the user name reversed (e.g. htimseoj), and the following common passwords:
  • 000
  • 0000
  • 00000
  • 0000000
  • 00000000
  • 0987654321
  • 111
  • 1111
  • 11111
  • 111111
  • 1111111
  • 11111111
  • 123
  • 123123
  • 12321
  • 123321
  • 1234
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
  • 1234abcd
  • 1234qwer
  • 123abc
  • 123asd
  • 123qwe
  • 1q2w3e
  • 222
  • 2222
  • 22222
  • 222222
  • 2222222
  • 22222222
  • 321
  • 333
  • 3333
  • 33333
  • 333333
  • 3333333
  • 33333333
  • 4321
  • 444
  • 4444
  • 44444
  • 444444
  • 4444444
  • 44444444
  • 54321
  • 555
  • 5555
  • 55555
  • 555555
  • 5555555
  • 55555555
  • 654321
  • 666
  • 6666
  • 66666
  • 666666
  • 6666666
  • 66666666
  • 7654321
  • 777
  • 7777
  • 77777
  • 777777
  • 7777777
  • 77777777
  • 87654321
  • 888
  • 8888
  • 88888
  • 888888
  • 8888888
  • 88888888
  • 987654321
  • 999
  • 9999
  • 99999
  • 999999
  • 9999999
  • 99999999
  • a1b2c3
  • aaa
  • aaaa
  • aaaaa
  • abc123
  • academia
  • access
  • account
  • Admin
  • admin
  • admin1
  • admin12
  • admin123
  • adminadmin
  • administrator
  • anything
  • asddsa
  • asdfgh
  • asdsa
  • asdzxc
  • backup
  • boss123
  • business
  • campus
  • changeme
  • cluster
  • codename
  • codeword
  • coffee
  • computer
  • controller
  • cookie
  • customer
  • database
  • default
  • desktop
  • domain
  • example
  • exchange
  • explorer
  • file
  • files
  • foo
  • foobar
  • foofoo
  • forever
  • freedom
  • fuck
  • games
  • home
  • home123
  • ihavenopass
  • Internet
  • internet
  • intranet
  • job
  • killer
  • letitbe
  • letmein
  • login
  • Login
  • lotus
  • love123
  • manager
  • market
  • money
  • monitor
  • mypass
  • mypassword
  • mypc123
  • nimda
  • nobody
  • nopass
  • nopassword
  • nothing
  • office
  • oracle
  • owner
  • pass
  • pass1
  • pass12
  • pass123
  • passwd
  • password
  • Password
  • password1
  • password12
  • password123
  • private
  • public
  • pw123
  • q1w2e3
  • qazwsx
  • qazwsxedc
  • qqq
  • qqqq
  • qqqqq
  • qwe123
  • qweasd
  • qweasdzxc
  • qweewq
  • qwerty
  • qwewq
  • root
  • root123
  • rootroot
  • sample
  • secret
  • secure
  • security
  • server
  • shadow
  • share
  • sql
  • student
  • super
  • superuser
  • supervisor
  • system
  • temp
  • temp123
  • temporary
  • temptemp
  • test
  • test123
  • testtest
  • unknown
  • web
  • windows
  • work
  • work123
  • xxx
  • xxxx
  • xxxxx
  • zxccxz
  • zxcvb
  • zxcvbn
  • zxcxz
  • zzz
  • zzzz
  • zzzzz

Depending on the account lockout settings, multiple failed authentication attempts by the worm may result in those accounts becoming locked out. This symptom was commonly reported in networks with computers infected by Downadup.

If successful, the worm copies itself to the share as the following file:

2.4 Universal Plug and Play
As detailed above, Downadup infects other machines through a remote procedure call (RPC) exploit against the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability connecting directly to a vulnerable computer. However, many home users today use routers or other firewalls and Internet gateway devices that by default prevent external machines from connecting to their home machines preventing infection from Downadup.

To bypass this issue, Downadup uses the Universal Plug-and-Play (UPnP) protocol. The UPnP protocol is supported by default in many common gateway devices that are in use in home user environments. Downadup utilizes UPnP's discovery protocol, which is based on the Simple Service Discovery Protocol (SSDP). The discovery protocol allows machines on the network to find gateway devices that are also on the network.

As part of SSDP, Downadup sends an M-SEARCH request to the multicast address on UDP port 1900 and then listens for responses.

Here is an example of the contents of an M-SEARCH request packet:

M-SEARCH * HTTP/1.1HOST: urn:schemas-upnp-org:device:InternetGatewayDevice:1MAN: “ssdp:discover”MX: 3

If a matching device exists on the network, the device will respond with a message that contains an additional URL that provides information about the device and the services the device supports. After verifying the device is suitable, Downadup sends a request to ensure the device is currently connected on the external wide area network (WAN) interface.

Next, it sends a command to the device to obtain the external IP address. Finally, Downadup creates a new port forwarding entry and it attempts to use port 80 for the external port and the internal port is randomly generated. If the configuration change fails, two more attempts will be made, but with a randomly generated external port number between 1024 and 10000. Once a bridge has been established, this facilities the delivery of the worm payload.

2.5 Peer-to-peer payload distribution
The worm uses a (potentially inefficient) peer-to-peer (P2P) mechanism that allows it to share files between infections. During the process shown below, Downadup not only patches the RPC vulnerability in memory, but uses this patch to recognize incoming exploit attempts from other Downadup-infected machines. The worm is able to analyze the incoming shellcode and checks if it matches its own exploit shellcode. If the shellcode matches, information is extracted from the shellcode that allows the worm to connect back to the other infected machine using HTTP protocol, but on a randomly selected port. The other infected machine then responds with a packet of data consisting of the payload files.

Downadup can transfer multiple payload files using this mechanism. Each is possibly encrypted (or at least digitally signed) and contains a header containing a file identifier and a date timestamp. The file identifier allows the worm to check if it already knows about this file and determine if it needs to be updated. The date timestamp is used as an expiration date and if the file is past its expiration date, it is discarded. The payload files are continually reviewed and those that are past their expiration are culled. These payload files are then saved in the registry and provided when other peers request them as well as allowing the payload files to be maintained when the compromised computer restarts. These payload files can then either be saved to disk and executed or loaded directly to memory. Thus, additional payload files can end up being executed with no files hitting the disk.


Note: Side effects created by associated threats are not included in this report.

3.1 Installation
When Downadup is executed, it creates any one of the following files depending on the variant:
  • %Temp%\[RANDOM FILE NAME].exe
  • %ProgramFiles%\Internet Explorer\[RANDOM FILE NAME].dll
  • %ProgramFiles%\Movie Maker\[RANDOM FILE NAME].dll
  • %System%\[RANDOM FILE NAME].dll
  • %Temp%\[RANDOM FILE NAME].dll
  • C:\Documents and Settings\All Users\Application Data \[RANDOM FILE NAME].dll
  • %System%\[RANDOM FILE NAME].dll
  • %System%\000[RANDOM FILE NAME].tmp
  • %Temp%\[CLSID 3]\[NUMBER].tmp

  • [CLSID 3] is generated from the serial number of the compromised computer and hence will vary.
  • [NUMBER] is a decimal number between 0 and 63 inclusive.

The worm also creates any of the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "rundll32.exe [RANDOM DLL FILE NAME], [RANDOM PARAMETER STRING]"

It then drops the following file and runs it as a randomly named service driver:
%System%\0[RANDOM FILE NAME].tmp

The driver modifies the following file in order to increase the number of concurrent network connections available on the compromised computer:

The worm also modifies the following registry entry so that the worm spreads more rapidly across a network:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"TcpNumConnections" = "00FFFFFE"

3.2. System Modifications
The following side effects may be observed on computers compromised by members of this threat family.

Files/folders created
One or more of the following files:
  • %Temp%\[RANDOM FILE NAME].exe
  • %ProgramFiles%\Internet Explorer\[RANDOM FILE NAME].dll
  • %ProgramFiles%\Movie Maker\[RANDOM FILE NAME].dll
  • %System%\[RANDOM FILE NAME].dll
  • %Temp%\[RANDOM FILE NAME].dll
  • C:\Documents and Settings\All Users\Application Data \[RANDOM FILE NAME].dll
  • %System%\[RANDOM FILE NAME].dll
  • %System%\000[RANDOM FILE NAME].tmp
  • Temp%\[CLSID 3]\[NUMBER].tmp

  • [CLSID 3] is generated from the serial number of the compromised computer and hence will vary.
  • [NUMBER] is a decimal number between 0 and 63 inclusive.

Files/folders deleted


Files/folders modified

Registry subkeys/entries created
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "rundll32.exe "[RANDOM DLL FILE NAME]", [RANDOM PARAMETER STRING]"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\"ImagePath" = "%System%\svchost.exe -k netsvcs"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\Parameters\"ServiceDll" = "[PATH TO THE THREAT]"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Applets\"ds" = [ENCRYPTED DLL]
  • HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Applets\"ds" = [ENCRYPTED DLL]
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\"ServiceDll" = "[PATH TO WORM]"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\"dl" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\"dl" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\"ds" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\"ds" = "0"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\Parameters\"ServiceDll" = "[PATH TO WORM]"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 1]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 1]
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\"[WORD 1][WORD 2]" = "[BINARY DATA]"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\"[WORD 1][WORD 2]" = "[BINARY DATA]"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\"[WORD 1][WORD 2]" = "[BINARY DATA]"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\"[WORD 1][WORD 2]" = "[BINARY DATA]"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\"[WORD 1][WORD 2]" = "[BINARY DATA]"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\"[WORD 1][WORD 2]" = "[BINARY DATA]"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\"ErrorControl" = "4"

  • [CLSID 1] is generated from the serial number of the compromised computer and hence will vary.
  • [CLSID 2] is generated from the serial number of the compromised computer and hence will vary.
  • See W32.Downadup.C for the list that [WORD 1] and [WORD 2] are randomly selected from.
  • [WORM GENERATED SERVICE NAME] represents a two word combination taken from a list of the following words:
    • Boot
    • Center
    • Config
    • Driver
    • Helper
    • Image
    • Installer
    • Manager
    • Microsoft
    • Monitor
    • Network
    • Security
    • Server
    • Shell
    • Support
    • System
    • Task
    • Time
    • Universal
    • Update
    • Windows

Registry subkeys/entries deleted

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Windows Defender"

Registry subkeys/entries modified (final values given)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL\"CheckedValue" = "0"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"TcpNumConnections" = "00FFFFFE"

3.3 Network Activity
The threat may perform the following network activities.

The worm generates a list of domain names in the following format:

  • [GENERATED DOMAIN NAME] represents the domain names created by the worm, which changes on a daily basis. See W32.Downadup.B for an example.
  • [TOP LEVEL DOMAIN] represents the following top level domains:
    • .biz
    • .info
    • .org
    • .net
    • .com
    • .ws
    • .cn
    • .cc

The worm then contacts the following remote location based on the domain names generated:

It will then download an updated copy of itself from the above remote location.

Initial variants of Downadup generated up to 250 domains each day to contact for commands and updates. When it became clear that this number was not enough to prevent the IT security industry from taking steps to block access and monitor their activities, the creators of Downadup decided to up their game.

Later variants of the threat (W32.Downadup.C and later) used a 50,000-a-day domain generation algorithm, which uses one of a possible 116 domain suffixes. The pseudo random number generation (PRNG) algorithm used relies on a seed value that will be the same across all infected systems every day. The seed is generated using a set of 64-bit mathematical operations using both static values and the numeric values of the current year, month, and day. These values are three numbers used respectively as multiplier (M), divisor (D), and additive (A) constant. The PRNG routine is a 200-byte piece of code that performs different floating-point operations and uses a second internal multiplier value (M2), which is also hardcoded.

While the possible domains that may be contacted by the worm were well known, it became more difficult to defend against it due to the increased number of possible domains used. It is impractical to actively monitor or block such a large number of domains on a daily basis.


Other network activity
The worm periodically contacts the following sites to check the speed of the current Internet connection:

The worm also connects to the following URL to get the IP address of the compromised computer:

It also connects to the following Web sites to obtain the current date and time:

3.4 Additional Functionality

DNS Blocking
The worm prevents the compromised computer from accessing a variety of domains of which are mostly well-known security websites. It does this by monitoring DNS requests to domains containing any of the following strings and blocks access to these domains so that the DNS request appears to have timed out:
  • activescan
  • adware
  • agnitum
  • ahnlab
  • anti-
  • antivir
  • arcabit
  • avast
  • avg.
  • avgate
  • avira
  • avp.
  • av-sc
  • bdtools
  • bit9.
  • bothunter
  • ca.
  • castlecops
  • ccollomb
  • centralcommand
  • cert.
  • clamav
  • comodo
  • computerassociates
  • confick
  • coresecur
  • cpsecure
  • cyber-ta
  • defender
  • downad
  • doxpara
  • drweb
  • dslreports
  • emsisoft
  • enigma
  • esafe
  • eset
  • etrust
  • ewido
  • fortinet
  • f-prot
  • freeav
  • free-av
  • fsecure
  • f-secure
  • gdata
  • gmer.
  • grisoft
  • hackerwatch
  • hacksoft
  • hauri
  • honey
  • ikarus
  • insecure.
  • iv.cs.uni
  • jotti
  • k7computing
  • kaspersky
  • kav.
  • kido
  • llnw.
  • llnwd.
  • malware
  • mcafee
  • microsoft
  • mirage
  • mitre.
  • msdn.
  • msft.
  • msftncsi
  • ms-mvp
  • msmvps
  • mtc.sri
  • nai.
  • ncircle
  • networkassociates
  • nmap.
  • nod32
  • norman
  • norton
  • onecare
  • panda
  • pctools
  • precisesecurity
  • prevx
  • ptsecurity
  • qualys
  • quickheal
  • removal
  • rising
  • rootkit
  • sans.
  • secunia
  • securecomputing
  • secureworks
  • snort
  • sophos
  • spamhaus
  • spyware
  • staysafe
  • sunbelt
  • symantec
  • technet
  • tenablese
  • threat
  • threatexpert
  • trendmicro
  • trojan
  • vet.
  • virscan
  • virus
  • wilderssecurity
  • windowsupdate

Disabling of security settings
The threat disables the following services:
  • BITS (a service that downloads and delivers Windows updates in the background)
  • ERSvc (the service that creates the error report sent to Microsoft)
  • WerSvc (the Windows Error Reporting Service)
  • WinDefend (a service for Windows Defender)
  • wscsvc (Windows Security Center Service that runs the Windows Security Center)
  • wuauserv (the on-demand Windows Update service)

It then lowers security settings by deleting the following registry entry to prevent automatic startup of certain software:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Windows Defender"

Next, it disables Windows Security Alert notifications by deleting the following registry subkey:

Distribution of fake antivirus software

The first Downadup variant had a payload delivery date of December 1, 2008 after its initial release. It attempted to download its payload file from While W32.Downadup was not able to download its payload because the payload site was shut down, the owner of the site was heavily involved in pushing misleading applications (also known as rogue antivirus products) onto compromised computers.

As the purpose of (which is the same as, and later, was to recruit affiliates to help install misleading applications, it's clear that one of Downadup's purposes is to divert compromised computers to sites hosting misleading applications, from which Downadup's authors receive monetary rewards.

Distribution of other malware
Utilizing its peer-to-peer botnet, Downadup also distributes W32.Waledac onto compromised computers. As Waledac performs various malicious actions, there may be numerous motivations for distributing it but evidence suggests that Downadup may well be a botnet for hire.

W32.Downadup.E removes itself from the system on or after May 3, 2009. It appears this variant’s only purpose is to distribute W32.Downadup.C and hence it deletes itself once it has accomplished this mission.

For more information relating to this threat family, please see the following resources:


Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.


You may have arrived at this page either because you have been alerted by your Symantec product about this risk, or you are concerned that your computer has been affected by this risk.

Before proceeding further we recommend that you run a full system scan. If that does not resolve the problem you can try one of the options available below.

If you are a Norton product user, we recommend you try the following resources to remove this risk.

Removal Tool
Use our tools to remove aggressive risks from your computer.

Infected Windows system files may need to be repaired using the Windows installation CD .

How to reduce the risk of infection
Check out our extensive collections of helpful advice and tips on how to stay safe online .

If you are a Symantec business product user, we recommend you try the following resources to remove this risk.

Identifying and submitting suspect files
Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec.

Removal Tool

If you have an infected Windows system file, you may need to replace it using the Windows installation CD .

The following instructions pertain to all current Symantec antivirus products.

1. Performing a full system scan
For information on how to run a full system scan using your Symantec product, follow the guidance given in the product's Help section.

2. Restoring settings in the registry
Many risks make modifications to the registry, which could impact the functionality or performance of the compromised computer. While many of these modifications can be restored through various Windows components, it may be necessary to edit the registry. See in the Technical Details of this writeup for information about which registry keys were created or modified. Delete registry subkeys and entries created by the risk and return all modified registry entries to their previous values.

Writeup By: Jarrad Shearer