Home / malwarePDF  

Worm:W32/Downadup


First posted on 12 December 2008.
Source: SecurityHome

Aliases :

There are no other names known for Worm:W32/Downadup.

Explanation :

A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.

right]Installation

Upon execution, it creates the following Mutex as part of its installation:

  • Global\%random%-%random%

It then Creates a copy of the file as %systemdir%<%random_dllname%>.dll and change timestamp as timestamp of the %systemdir%kernel32.dll.

The malware then modifies the registry, creating a number of registry keys including a "Parameters" key under the service key with the entry:

  • Servicedll = %systemroot%system32[...].dll

It also modifies the following registry key:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvcHost
    netsvcs = <%previous data% and %random_dllname%>

It then Disables user created System Restore Points.

It may also attach itself to "services.exe".

Propagation

It connects to the following sites to get the %external_ip_address% of the infected system.

  • http://www.getmyip.org
  • http://getmyip.co.uk
  • http://checkip.dyndns.org

It then creates a http server on the infected system on a random port:

  • http://%external_ip_address%:%random_port%

The malwares tries to exploit the system that is vulnerable to "MS08-067", the exploited system will download a copy of the malware having jpeg extension from the aforementioned http server.

It creates the following registry:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionNls
    (Default) = dword:%Number%

It downloads and executes the following files when the system date is above "December 1, 2008":

  • http://trafficconverter.biz/4vir/antispyware/loadadv.exe
As of this writing, this URL is currently unavailable. We can only speculate regarding the real motive of the malware author. The URL contains rogue antispyware-related strings. Profit on this perspective is acquired through affiliate programs that some rogue antispywares have.

It also downloads and executes the following files when the system date is above "November 25, 2008":

  • http://<%predictable_domains_ipaddress%>/search?q=<%Number%>&aq=7

where %Number% is the number of systems the malware has successfully infected, and %predictable_domains_ipaddress% is a predictable domain that will be converted to an IP address.

It may connect to the following domains to obtain current system date which will then be used to generate predictable domains:

  • baidu.com
  • google.com
  • yahoo.com
  • msn.com
  • ask.com
  • w3.org

Examples of a predictable domain:

  • aconklcn.net
  • adnherho.com
  • afshu.info
  • aftzwhcjk.info
  • agiwjyx.biz
  • ahzvceeg.biz
  • aihbjawqll.info
  • andndjmts.com
  • arrqczqj.com
  • atffhfyr.info
  • bfhfa.org
  • bjamrxy.info
  • bkidqwqd.com
  • bkzdbmwqf.org
  • bpbokixgrr.com
  • bqbgqkx.org
  • btuzcgytmg.biz
  • buxbpcuhgks.biz
  • bwssb.info
  • byqibg.net
  • ciyqydagnbi.net
  • clhosan.biz
  • cpoqvn.org
  • cubbrbh.biz
  • cupgw.biz
  • cxqlmwgp.com
  • czkiptwai.info
  • dcpaiqzc.biz
  • dczokqhd.net
  • djlwuayzv.net
  • dpdszcxxw.net
  • dsfflhy.com
  • dvlzq.info
  • dwbxwdjvg.com
  • dynppafxww.biz
  • dzoibj.info
  • ecclfke.info
  • edgvfinrbc.net
  • epefw.biz
  • esmgvh.info
  • esotw.net
  • espvtm.net
  • exrudww.com
  • fbtbsshxtqc.com
  • fcwak.net
  • fdkpw.info
  • fntkbzdcdpp.net
  • fpabgx.info
  • fsbeui.biz
  • gbqxdo.com
  • gcqnhcxkubp.com
  • gdxsk.biz
  • germtbzda.com
  • glvnmc.net
  • gqsaoheic.biz
  • gquvqirf.org
  • gtgyzcq.net
  • gxffs.net
  • gxoli.com
  • gxxromkhtx.org
  • gyvdjzkd.info
  • hatveqxgn.info
  • hbdaaqpgj.biz
  • hdbvwlhmy.info
  • hdunbnus.org
  • hfhlitaauh.com
  • hfpmgvkimks.net
  • hhdecyyznvj.info
  • hkefcack.info
  • hlflxstgcs.net
  • hohwolepnvb.net
  • hojmuh.com
  • hxbrrbnrdet.net
  • hyrvvlt.org
  • hzfdvzal.org
  • hzxqfyuy.org
  • ihkifipkob.com
  • ijiwdbfe.net
  • ilmenn.org
  • inanwchr.org
  • ivscm.net
  • iwetmh.net
  • ixdrqyfm.info
  • ixukyfoyarg.com
  • iybkspozz.biz
  • jbaporuw.biz
  • jebzcbsaljz.biz
  • jjsajvu.com
  • jlispc.org
  • jlopa.net
  • jnuiamwb.biz
  • jospdiqg.info
  • jwdqzdqsj.net
  • kaiaw.info
  • kdgypwbe.biz
  • klefutkoadt.biz
  • kmpzc.org
  • kuffkactpj.biz
  • kuyinxdwg.net
  • kuylneworqs.info
  • lgjse.info
  • lidrjmqi.org
  • lnbslx.org
  • lpqpev.info
  • lqjrdrh.org
  • lrfyqneanck.org
  • ltkdit.biz
  • lxhru.biz
  • lxlwjany.info
  • maiow.biz
  • mawsezpa.com
  • mcmyhkzlf.org
  • mcngeewe.net
  • mgroq.info
  • mkpih.net
  • mlpuconaddf.net
  • mmrqzxju.org
  • mpqqqnp.com
  • munrulnyoxr.com
  • muvlf.net
  • mxjoextn.com
  • namvkxkdxmm.info
  • nbgsq.info
  • nbykxprbx.biz
  • neacdkow.com
  • nelkzm.net
  • nelxfbw.biz
  • nguxos.net
  • nkzwdb.org
  • npxmlclpzop.net
  • nwlovpsjku.biz
  • nxdcbqyism.info
  • nxekr.com
  • obopljobg.org
  • obzueobl.org
  • oepsmq.info
  • ohnviuwnuf.biz
  • oplqgkc.com
  • orvehkxvpo.biz
  • osbeaescr.biz
  • owqwsmcc.biz
  • pdesl.com
  • pdmqxeumc.info
  • pijtber.org
  • pisaonnpht.info
  • pkxsngzrc.com
  • ppdtaqaa.net
  • pwrkfyh.org
  • qazvsxhgloa.info
  • qcdfklazpwb.com
  • qcdkcghpyhj.net
  • qfszswn.com
  • qpcbthly.com
  • qpvxbhgdc.biz
  • qrmbw.info
  • qxnwhtob.com
  • qxynx.biz
  • rmzchhf.info
  • rncviqzt.info
  • rnsnpgtql.org
  • rofuirvnkq.info
  • rpvuyeiyo.biz
  • rwiqvdes.biz
  • rxnunynbalh.com
  • ryjincwdq.com
  • saewkwhy.info
  • sanpqayp.com
  • saywd.net
  • sbekp.com
  • sbywqb.com
  • sfgvicncwcs.net
  • sijrllxplcf.org
  • sjymarcq.com
  • skuwzlpa.info
  • slnzxx.biz
  • snmlvr.com
  • spvdkjdp.net
  • sqrffrncfm.biz
  • sqyjtz.biz
  • supwcqpn.org
  • tagumbpqa.com
  • tdgoyhpua.com
  • tfwiypsv.info
  • timpsb.com
  • toxckrmg.org
  • tshttkma.info
  • tsmaeeil.info
  • ttbcb.info
  • tuesiglpy.net
  • tzjxlmwzwr.com
  • ubtyckmg.com
  • ubuwka.biz
  • ufefitds.org
  • uflir.info
  • ugtfcacq.org
  • uolctymvtl.biz
  • usimkdlizxu.org
  • uswsaki.info
  • utazsru.net
  • uwhfgofog.biz
  • uxbxjt.biz
  • uxwtykgty.info
  • uxykdjpqp.org
  • vdovf.org
  • vfpbzy.biz
  • vxfuyk.com
  • waxet.info
  • wfgpaosz.org
  • wrmfc.com
  • wydpf.org
  • xdofi.com
  • xegmskqvmxs.info
  • xewkvyi.com
  • xfclsh.net
  • xfrxclyxj.com
  • xjvppmge.net
  • xkdvxketsn.net
  • xmirfew.com
  • xxwurg.org
  • xxzynv.com
  • ybgxlz.com
  • ybjmfmlzxf.org
  • ycvazaatojy.biz
  • yefcelcnl.biz
  • yeszvf.com
  • yezzqntd.org
  • yfaooxcwa.com
  • yiaswysd.net
  • ynsprbyapcg.biz
  • yopmwpnmzvg.net
  • yrhvlci.com
  • yvvnm.net
  • yvwhkimeub.com
  • ywzpzbypmgq.net
  • yxgoqcg.biz
  • yxljmzxmbm.com
  • zbuqkgqoeg.info
  • zcatwgmi.biz
  • zcpzbmii.info
  • zdimkl.org
  • zfvepki.net
  • zgvylvrxsj.com
  • zhmpqdetg.net
  • zkfnpv.com
  • zlxkgdkj.com
  • zmvpqfym.com
  • zpodrkmqg.net
  • zthmwctg.biz
  • zuiwain.info
  • zzuluunbcl.org

Notes

More information about the MS08-067 vulnerability is available from Microsoft at http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Last update 12 December 2008

 

TOP

Malware :

Family: