|
Description:
Trend Micro has flagged this malware as noteworthy due to the increased potential for damage, propagation, or both, that it possesses, and has likewise received attention from independent media sources and/or other security firms.
To get a one-glance general view of the behavior of this malware, refer to the Diagram shown below.
What's the goal of this worm?
It appears that the goal of this worm is to create a large botnet of infected PCs so that its creators may at some point send spam, steal personal information (user IDs, passwords, credit card info, etc.) and direct users to malicious websites used for phishing or downloading additional malware.
Trend Micro has published information on this threat which can be found on the following pages:
Malware Behavior
Variants of this worm may be downloaded from remote sites by other malware. It may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.
They may be dropped by the following malware:
They may also arrive via removable drives, network shares, or through a vulnerability.
Variants of this worm exhibit the following routines:
- Blocks access to antivirus-related sites/URLs
- Disable services, such as Windows Automatic Update Service (wuauserv)
- High traffic on affected system's port 445 upon successful exploitation
- Existence of {Random file name}.dll and AUTORUN.INF in all mapped drives
- Existence of {Random file name}.dll and AUTORUN.INF on internet explorer and movie maker folder under program files directory
- It hides hidden files in Folder Options
- It attempts to connect to several URLs to download a file that indicates the location of the affected system
- Users cannot login using their windows credentials because it is locked out
- Deletion of a registry key to prevent system startup even in safe mode
Some variants are capable of generating domain names, which range from 250 to 50,000 URLs. While the worm only attempts to connect to around 500 randomly selected domains at a time, this modification is seen as an effort to add survivability to the DOWNAD botnet.
Propogation Routines
Propagation via Vulnerability
Variants of this worm propagate in two ways from which they are achieved by taking advantage of a vulnerability discovered in certain Microsoft operating systems that could allow remote code execution if an affected system received a specially crafted RPC request, which also contains a shellcode. More information on the said vulnerability can be found in the following link:
Variants of this worm are also capable of propagating over the Internet by attempting to send the exploit code to a random Internet address. They first broadcasts the opened random port that serves as an HTTP server so that it is accessible over the Internet.
They also attempt to connect to remote URLs to determine the IP address of the affected computer. After getting the IP address of the system, variants of this worm check if the said IP address is valid and is not a local IP address. They also checks if the external IP address is the same with the configured IP address on the system.
Propagation via Network Shares
Some variants scan for available lists of user names and its list of passwords to successfully connect to a network share. Upon successful propagation via network share, it drops a copy of itself and a scheduled task. The scheduled task is intended to automatically execute the dropped malware copy.
Hence, a target machine having a weak password can be repeatedly attacked by a system infected with WORM_DOWNAD. This can be indicated by detections on Windows system folder.
Propagation via Removable Drives and Network Drives:
Upon successful enumeration of drives, DOWNAD variants may drop a copy of itself along with the file AUTORUN.INF. The AUTORUN.INF is intended to automatically execute the dropped malware copy on the enumerated drive.
For additional information about this threat, see:
Solution
Technical Details
Description created: Mar. 31, 2009 2:38:43 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
