What is W32.Downadup.B
W32.Downadup.B is a worm that spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874). It also attempts to spread to network shares protected by weak passwords and blocks access to security-related Web sites.
Technical details of W32.Downadup.B
Discovered: December 30, 2008
Updated: December 31, 2008 9:58:37 AM
Modifies Files: Modifies the tcpip.sys file.
Characteristics of W32.Downadup.B
Once executed, W32.Downadup.B checks for the presence of the following registry entries and if not present will create them:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\”dl” = “0”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\”dl” = “0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\”ds” = “0”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\”ds” = “0”
W32.Downadup.B then copies itself as the following files:
%ProgramFiles%\Internet Explorer\[RANDOM FILE NAME].dll
%ProgramFiles%\Movie Maker\[RANDOM FILE NAME].dll
%System%\[RANDOM FILE NAME].dll
%Temp%\[RANDOM FILE NAME].dll
C:\Documents and Settings\All Users\Application Data \[RANDOM FILE NAME].dll
Next, W32.Downadup.B registers as a service, by creating the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\Parameters\”ServiceDll” = “[PATH TO WORM]”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\”ImagePath” = %SystemRoot%\system32\svchost.exe -k netsvcs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\”Type” = “4”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\”Start” = “4”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\”ErrorControl” = “4”
Removing of W32.Downadup.B
Removal of malware like W32.Downadup.B can be best done by automatic removing through a reputed Security Software like Norton 360. We discourage removing malware like W32.Downadup.B using manual removal instructions, because it requires lots of expertise and chances are always there that the malware is not removed at all.
How to get rid of W32.Downadup.B - Removal Steps:
- Disable System Restore (Windows Me/XP). This is important step because if a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer. Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.
- Download Norton 360, if do not have it already.
- It has been successfully tested that Norton 360 protection effectively cleans your system against W32.Downadup.B infections. We suggest that you update the virus definitions of your Norton 360 protection.
- If you do not have Norton 360, we recommend that you first download the Trialware version (Absolutely FREE) and scan your system. Do download the Trialware version, click here to go to Symantec Website and Click on Trialware. .
- Run a full system scan. Make sure that Norton 360 is configured to scan all the files.
- In case the malware W32.Downadup.B does not allow you to scan, then restart your system in Safe Mode and run the scan again.
- Take steps as suggested. After you delete the malware W32.Downadup.B, restart the system in normal mode.
- If you get some error messages on Restart, click Ok and proceed. Now you need to delete the registry keys created by the malware W32.Downadup.B.
- Warning: Registry Editing may be risky for your Windows Installation. We recommend using a professional registry cleaner software like PC Tools Registry Mechanic. For manual registry cleaning, Click Start > Run, Type regedit and Click OK. Remember to take backup of your registry before proceeding
- Navigate to the registry keys related to W32.Downadup.B malware (given above) and delete them.
- Restart the system.
>>> Tip: Click Here to Boost Internet and PC performance