Sunday, March 7, 2010


Win32.Worm.DownadupJob.A  is a generic detection of .job files created by Downadup worm. One of the methods used by this worm to load its library file every day is by creating many Scheduled Tasks in %WINDOWS%\Tasks. The name of the application which will be executed is rundll32.exe and the parameter has the following format: ., - this is the worm's .dll file.
Win32.Worm.Downadup is a worm that relies on the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (MS08-67) in order to spread on other computers in the local network. The authors took various approaches to make this malware especially fast spreading and hard to remove.

Connection times out while trying to access various antivirus-related websites.
Windows Update has been disabled.
Presence of autorun.inf files in the root of mapped drives pointing to a .dll file inside the RECYCLER folder of the drive.

Once gained execution this worm does the following actions:
  • Hooks NtQueryInformationProcess from ntdll.dll inside the running process
  •  Creates a named Mutex based on the computer name
  •  Injects intself into one of the following processes:
  •  Explorer.exe
  •  Svchost.exe

  •  uses the following registry key to hide the files with hidden attributes:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL\"CheckedValue" = "0"
  •  executes the following command, which disables auto-tuning (details) option under Windows Vista :
  •  netsh interface tcp set global autotuninglevel=disabled
  •  copies itself into one or more of the following locations:
  •  %Program Files%\Internet Explorer\[Random Name].dll
  •  %Program Files%\Movie Maker\[Random Name].dll
  •  %Documents and Settings%\All Users\Application Data\[Random Name].dll
  •  %Temp%\[Random Name].dll
  •  %System32%\[Random Name].dll
  •  if residing into services.exe application (Win2K) it hooks on the following apis:
  •  NetpwPathCanonicalize from netapi32.dll - this api is used to avoid reinfection of the local machine from other infected computers
  •  sendto from ws2_dll.dll
  •  if residing into svchost.exe it hooks the following apis
  •  NetpwPathCanonicalize from netapi32.dll - this api is used to avoid reinfection of the local machine from other infected computers
  •  DnsQuery_A, DnsQuery_W, DnsQuery_UTF8, Query_Main from dnsapi.dll - this apis are hooked to restrict access to various sites related to antivirus companies.
  •  it sets maximum number of simultaneous connections allowed by doing one of the following
  •  patching tcpip.sys driver, using a driver it drops itself (contained in an unencrypted form)
  •  setting HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"TcpNumConnections" to "00FFFFFE"
  •  injects itself into services.exe (Win2K)
  •  it sets the following registry keys (if they are not set already), probably as an infection marker:
  •  HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\"dl" = "0"
  •  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\"dl" = "0"
  •  HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\"ds" = "0"
  •  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\"ds" = "0"
  •  Disabled the following Windows services:
  •  Background Intelligent Transfer Service (BITS)
  •  Windows Automatic Update Service (wuauserv)

  •  sets the following registry key to hide files with hidden attribute:
  •  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL\"CheckedValue" = "0"
HOW TO REMOVE Win32.Worm.DownadupJob.A
It is recommended to download bitdefender or any strong antivirus to protect against this virus.

No comments:

Post a Comment