Worm:W32/Downadup.DY

Classification

Category :

Malware

Type :

Worm

Aliases :

Worm:W32/Downadup.DY, Net-Worm.Win32.Kido.iw, Win32.Worm.Downadup, Worm:Win32/Conficker.D (Microsoft), W32.Downadup.C (Symantec), W32/Conficker.worm (McAfee)

Summary

Worm:W32/Downadup.DY is a variant of Worm:W32/Downadup family of worms.

Removal

Please see our Worm:W32/Downadup.gen description for disinfection information.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Infection

Upon execution, the worm creates copies of itself in the following locations:

  • %System%\[Random].dll
  • %Program Files%\Internet Explorer\[Random].dll
  • %Program Files%\Movie Maker\[Random].dll
  • %Program Files%\Windows Media Player\[Random].dll
  • %Program Files%\Windows NT\[Random].dll
  • %Application Data%\[Random].dll
  • %Temp%\[Random].dll

Note: [Random] represents a algorithmically generated name..

The worm disables a number of system features in order to facilitate its activities. It disables the following Windows services:

  • Windows Automatic Update Service (wuauserv)
  • Background Intelligent Transfer Service (BITS)
  • Windows Security Center Service (wscsvc)
  • Windows Defender Service (WinDefend)
  • Windows Error Reporting Service (ERSvc)
  • Windows Error Reporting Service (WerSvc)

The worm also hooks the following API's in order to block access when the user attempts to access a long list of domains:

  • DNS_Query_UTF8
  • DNS_Query_W
  • Query_Main
  • sendto

If the user attempts to access the following, primarily security-related domains, their access is blocked:

  • agnitum
  • ahnlab
  • anti-
  • antivir
  • arcabit
  • avast
  • avgate
  • avira
  • bothunter
  • castlecops
  • ccollomb
  • centralcommand
  • clamav
  • comodo
  • computerassociates
  • conficker
  • cpsecure
  • cyber-ta
  • defender
  • downad
  • drweb
  • dslreports
  • emsisoft
  • esafe
  • eset
  • etrust
  • ewido
  • f-prot
  • f-secure
  • fortinet
  • free-av
  • freeav
  • gdata
  • grisoft
  • hackerwatch
  • hacksoft
  • hauri
  • ikarus
  • jotti
  • k7computing
  • kaspersky
  • kido
  • malware
  • mcafee
  • microsoft
  • mirage
  • msftncsi
  • msmvps
  • mtc.sri
  • networkassociates
  • nod32
  • norman
  • norton
  • onecare
  • panda
  • pctools
  • prevx
  • ptsecurity
  • quickheal
  • removal
  • rising
  • rootkit
  • safety.live
  • securecomputing
  • secureworks
  • sophos
  • spamhaus
  • spyware
  • sunbelt
  • symantec
  • technet
  • threat
  • threatexpert
  • trendmicro
  • trojan
  • virscan
  • virus
  • wilderssecurity
  • windowsupdate
  • avg
  • avp
  • bit9
  • ca
  • cert
  • gmer
  • kav
  • llnw
  • llnwd
  • msdn
  • msft
  • nai
  • sans

Downloads

Downadup is capable of downloading files onto the infected system. First, the worm connects to one of the following domains to obtain the current system date:

  • baidu.com
  • google.com
  • yahoo.com
  • ask.com
  • w3.org
  • facebook.com
  • imageshack.us
  • rapidshare.com

The obtained system date is used to generate a list of domains where the worm then attempts to download additional files.

It then verifies whether the current date is at least April 1, 2009. If so, it downloads and execute files from:

  • http://%predictable_domains_ipaddress%

Note: %PredictableDomainsIPAddress% are the domains generated based on the system date.

Registry

It creates the following registry entries:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[servicekeyname] DisplayName = %servicedisplayname% Type = dword:00000020 Start = dword:00000002 ErrorControl = dword:00000000 ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs" ObjectName = "LocalSystem" Description = %description%
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[servicekeyname]\Parameters ServiceDll = %path_of_malware%

Note: %servicedisplayname% represents a two word combination taken from a list of the following words:

  • Audit
  • Backup
  • Boot
  • Browser
  • Center
  • Component
  • Config
  • Control
  • Discovery
  • Driver
  • Event
  • Framework
  • Hardware
  • Helper
  • Image
  • Installer
  • Logon
  • Machine
  • Management
  • Manager
  • Microsoft
  • Monitor
  • Network
  • Notify
  • Power
  • Security
  • Server
  • Shell
  • Storage
  • Support
  • System
  • Task
  • Time
  • Trusted
  • Universal
  • Update
  • Windows

Note: %servicekeyname% represents a combination of two words taken from a list of the following words:.

1st Word

  • App
  • Audio
  • DM
  • ER
  • Event
  • help
  • Ias
  • Ir
  • Lanman
  • Net
  • Ntms
  • Ras
  • Remote
  • Sec
  • SR
  • Tapi
  • Trk
  • W32
  • win
  • Wmdm
  • Wmi
  • wsc
  • wuau
  • xml

2nd Word

  • access
  • agent
  • auto
  • logon
  • man
  • mgmt
  • mon
  • prov
  • serv
  • Server
  • Service
  • Srv
  • srv
  • Svc
  • svc
  • System
  • Time

The worm modifies the following registry entry and inserts the %servicekeyname%:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost, netsvcs = <%previous data% + %servicekeyname%>

It also create the following registry autorun entry:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run = rundll32.exe "%path_of_malware%", [random]
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run = rundll32.exe "%path_of_malware%", [random]

It deletes the following registry key to Deactivate Security Center Notifications:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}

It also deletes the following registry value to disable Windows Defender from startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, Windows Defender

It deletes the following registry to prevent from restating in safe mode:

  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot

Downadup.DY also deletes any System Restore points created by the user.

Process Termination

It terminates processes that contains any of the following strings:

  • autoruns
  • avenger
  • confick
  • downad
  • filemon
  • gmer
  • hotfix
  • kb890
  • kb958
  • kido
  • klwk
  • mbsa.
  • mrt.
  • mrtstub
  • ms08-06
  • procexp
  • procmon
  • regmon
  • scct_
  • sysclean
  • tcpview
  • unlocker
  • wireshark

P2P Network

The worm connects itself to a peer-to-peer network. A significant number of UDP connections can be observed when the worm is attempting to connect to its P2P network..