This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
This Signature Detects W32.Downadup activity on compromised systems.
W32.Downadup spreads primarily by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874), which was first discovered in late-October of 2008. It scans the network for vulnerable hosts, but instead of flooding it with traffic, it selectively queries various computers in an attempt to mask its traffic instead. It also takes advantage of Universal Plug and Play to pass through routers and gateways.
It also attempts to spread to network shares by brute-forcing commonly used network passwords and by copying itself to removable drives.
- Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP