Friday, April 29, 2011

Worm:W32/Downadup.AL


Disinfection

Removal Tools

F-Downadup
Specific tool with heuristics for Downadup worm variants:


FSMRT
Non-specific detection tool, larger file size:


Note: these are command line tools, please read the text file included in the ZIP for additional details.

Updates

These are beta tools. Use the following FTP location to determine the file dates:


Scanning Options

Downadup makes use of random extension names in order to avoid detection.

During disinfection scanning options should be set to:

• Scan all files

Microsoft Help and Support

Knowledge Base Article 962007 provides numerous details for manual disinfection of Conficker.B (alias Downadup).

Additional Details

Worm:W32/Conficker.AL is a variant of Worm:W32/Downadup.A which is able to spread copies of itself over a network using three different methods: file sharing, exploitation of a vulnerability and exploitation of Windows Autorun.

In addition to attempting to connect to remote sites, Conficker.AL uses stealth techniques to hide its actions, and makes a number of changes to the Windows Registry.

More technical information is also available in the related descriptions:




Installation


Upon execution, Downadup creates copies of itself in:

• %System%\[Random].dll
• %Program Files%\Internet Explorer\[Random].dll
• %Program Files%\Movie Maker\[Random].dll
• %All Users Application Data%\[Random].dll
• %Temp%\[Random].dll
• %System%\[Random].tmp
• %Temp%\[Random].tmp

* Note: [Random] represents a randomly generated name.

Each file's timestamp is amended to match the timestamp of the %System%\kernel32.dll file. The worm then creates autorun entries in the registry, which ensure that a copy of the worm is executed at every system startup.

The worm then attach itself to the following processes:

• svchost.exe
• explorer.exe
• services.exe


Activity

The worm disables a number of system features, in order to facilitate its activities. It disables the following Windows services:

• Windows Automatic Update Service (wuauserv)
• Background Intelligent Transfer Service (BITS)
• Windows Security Center Service (wscsvc)
• Windows Defender Service (WinDefend)
• Windows Error Reporting Service (ERSvc)
• Windows Error Reporting Service (WerSvc)

In addition to disabling these services, it checks to see whether it is running on a Windows Vista machine; if so, it also runs the following command to disable Windows Vista TCP/IP auto-tuning:

• netsh interface tcp set global autotuning=disabled

The worm also hooks the following API's in order to block access when the user attempts to access a long list of domains:

• DNS_Query_A
• DNS_Query_UTF8
• DNS_Query_W
• Query_Main
• sendto

No comments:

Post a Comment