1. /
  2. Security Response/
  3. W32.Downadup


Risk Level 2: Low

November 21, 2008
May 20, 2013 4:52:53 PM
Also Known As:
Win32/Conficker.A [Computer Associates], W32/Downadup.A [F-Secure], Conficker.A [Panda Software], Net-Worm.Win32.Kido.bt [Kaspersky], WORM_DOWNAD.AP [Trend], W32/Conficker [Norman]
Infection Length:
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
CVE References:
W32.Downadup, also known as Conficker by some news agencies and antivirus vendors, is an extremely interesting piece of malicious code and one of the most prolific worms in recent years. It has an extremely large infection base – estimated to be upwards of 3 million computers - that have the potential to do a lot of damage. This is largely attributed to the fact that it is capable of exploiting computers that are running unpatched Windows XP SP2 and Windows 2003 SP1 systems. Other worms released over the past few years have largely targeted older system versions, which have an ever decreasing distribution.

W32.Downadup spreads primarily by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874), which was first discovered in late-October of 2008. It scans the network for vulnerable hosts, but instead of flooding it with traffic, it selectively queries various computers in an attempt to mask its traffic instead. It also takes advantage of Universal Plug and Play to pass through routers and gateways.

It also attempts to spread to network shares by brute-forcing commonly used network passwords and by copying itself to removable drives.

It has the ability to update itself or receive additional files for execution. It does this by generating a large number of new domains to connect to every day. The worm may also receive and execute files through a peer-to-peer mechanism by communicating with other compromised computers, which are seeded into the botnet by the malware author.

The worm blocks access to predetermined security-related websites so that it appears that the network request timed out. Furthermore, it deletes registry entries to disable certain security-related software, prevent access to Safe Mode, and to disable Windows Security Alert notifications.

Symantec has observed the following geographic distribution of this threat.


Symantec has observed the following infection levels of this threat worldwide.

The following content is provided by Symantec to protect against this threat family.

Antivirus signatures

Antivirus (heuristic/generic)

Intrusion Prevention System

Antivirus Protection Dates

  • Initial Rapid Release version November 21, 2008 revision 052
  • Latest Rapid Release version February 19, 2013 revision 016
  • Initial Daily Certified version November 22, 2008 revision 003
  • Latest Daily Certified version February 19, 2013 revision 024
  • Initial Weekly Certified release date November 26, 2008
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Jarrad Shearer

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report