What is W32.Downadup.B

W32.Downadup.B is a worm that spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874). It also attempts to spread to network shares protected by weak passwords and blocks access to security-related Web sites.

Technical details of W32.Downadup.B

Discovered: December 30, 2008
Updated: December 31, 2008 9:58:37 AM
Type: Worm
Modifies Files: Modifies the tcpip.sys file.

Characteristics of W32.Downadup.B

Once executed, W32.Downadup.B checks for the presence of the following registry entries and if not present will create them:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\”dl” = “0”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\”dl” = “0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\”ds” = “0”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\”ds” = “0”

W32.Downadup.B then copies itself as the following files:

%ProgramFiles%\Internet Explorer\[RANDOM FILE NAME].dll
%ProgramFiles%\Movie Maker\[RANDOM FILE NAME].dll
%System%\[RANDOM FILE NAME].dll
%Temp%\[RANDOM FILE NAME].dll
C:\Documents and Settings\All Users\Application Data \[RANDOM FILE NAME].dll

Next, W32.Downadup.B registers as a service, by creating the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\Parameters\”ServiceDll” = “[PATH TO WORM]”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\”ImagePath” = %SystemRoot%\system32\svchost.exe -k netsvcs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\”Type” = “4”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\”Start” = “4”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\”ErrorControl” = “4”