1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: W32.Downadup Activity

System Infected: W32.Downadup Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This Signature Detects W32.Downadup activity on compromised systems.

Additional Information

W32.Downadup spreads primarily by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874), which was first discovered in late-October of 2008. It scans the network for vulnerable hosts, but instead of flooding it with traffic, it selectively queries various computers in an attempt to mask its traffic instead. It also takes advantage of Universal Plug and Play to pass through routers and gateways.

It also attempts to spread to network shares by brute-forcing commonly used network passwords and by copying itself to removable drives.

Affected

  • Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube