Home / malwarePDF  

Worm:W32/Downaduprun.A


First posted on 21 January 2009.
Source: SecurityHome

Aliases :

There are no other names known for Worm:W32/Downaduprun.A.

Explanation :

Worm:W32/Downaduprun.A detects the malicious autorun.inf file used by the Downadup network worm.

right]Worm:W32/Downaduprun.A is generic detection of Downadup worm autorun files. Recent versions of F-Secure software such as Internet Security 2009 and Client Security 8 are able to make this detection.

Downadup is a network worm. See the Worm:W32/Downadup.gen description for further details.

Downadup is able to spread itself using Windows Autorun functionality. The autorun.inf file used by Downadup is detected as Worm:W32/Downaduprun.A.

Typical Autorun.inf files are very small in size.

The Downadup worm inflates the size of its autorun.inf in an attempt to avoid detection by antivirus signature scanners. Binary characters are used to inflate the file size. These binary characters are ignored by the Windows operating system.

Windows will find the following command:

  • Open=RUNDLL32.EXE .RECYCLERjwgvsq.vmx

This command executes a DLL called jwgvsq.vmx from a hidden folder on the removable drive containing the malicious autorun.inf.

Last update 21 January 2009

 

TOP