W32.Downadup, also known as Conficker by some news agencies and antivirus vendors, is an extremely interesting piece of malicious code and one of the most prolific worms in recent years. It has an extremely large infection base – estimated to be upwards of 3 million computers - that have the potential to do a lot of damage. This is largely attributed to the fact that it is capable of exploiting computers that are running unpatched Windows XP SP2 and Windows 2003 SP1 systems. Other worms released over the past few years have largely targeted older system versions, which have an ever decreasing distribution.
W32.Downadup spreads primarily by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability
(BID 31874), which was first discovered in late-October of 2008. It scans the network for vulnerable hosts, but instead of flooding it with traffic, it selectively queries various computers in an attempt to mask its traffic instead. It also takes advantage of Universal Plug and Play to pass through routers and gateways.
It also attempts to spread to network shares by brute-forcing commonly used network passwords and by copying itself to removable drives.
It has the ability to update itself or receive additional files for execution. It does this by generating a large number of new domains to connect to every day. The worm may also receive and execute files through a peer-to-peer mechanism by communicating with other compromised computers, which are seeded into the botnet by the malware author.
The worm blocks access to predetermined security-related websites so that it appears that the network request timed out. Furthermore, it deletes registry entries to disable certain security-related software, prevent access to Safe Mode, and to disable Windows Security Alert notifications.
Symantec has observed the following geographic distribution of this threat.
Symantec has observed the following infection levels of this threat worldwide.
SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.
Intrusion Prevention System
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.