- Threat Encyclopedia
- Malware
- WORM_DOWNAD.AD
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Copies itself in all available physical drives, Propagates via removable drives, Propagates via software vulnerabilities, Propagates via network shares
This worm exploits a vulnerability in Server service that, when exploited, allows a remote user to execute arbitrary code on the infected system in order to propagate across networks.
To get a one-glance comprehensive view of the behavior of this Worm, refer to the Threat Diagram shown below.
It propagates by dropping copies of itself in physical and removable drives. It also propagates over the Internet by attempting to send the exploit code to random Internet addresses.
It generates a set of URLs containing 250 random sites per day based on the UTC time standard.
It blocks access to websites that contain certain strings, which are mostly related to antivirus programs.
This worm arrives via removable drives. It may be dropped by other malware.
It modifies registry entries to disable various system services. This action prevents most of the system functions to be used.
It drops copies of itself into all the removable drives connected to an affected system. It drops copies of itself into network drives. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system. It exploits software vulnerabilities to propagate to other computers across a network.
It modifies certain registry entries to hide Hidden files. It prevents users from visiting antivirus-related websites that contain specific strings.
160,480 bytes
DLL
No
30 Dec 2008
Connects to URLs/Ips
Arrival Details
This worm arrives via removable drives.
It may arrive via network shares.
It may be dropped by other malware.
Installation
This worm drops the following copies of itself into the affected system:
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %System% is the Windows system folder, which is usually C:\Windows\System32.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)
It adds the following mutexes to ensure that only one of its copies runs at any one time:
Autostart Technique
This worm registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SvcHost\
{random characters}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random characters}
ImagePath = "%System Root%\system32\svchost.exe -k"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random characters}\Parameters
ServiceDll = "%System%\{malware file name}"
It adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random characters} = "rundll32.exe {malware path and file name}, Parameter"
Other System Modifications
This worm adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Applets
dl = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Applets
ds = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Applets
dl = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Applets
ds = "0"
It modifies the following registry key(s)/entry(ies) as part of its installation routine:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
TcpNumConnections = "00FFFFFE"
(Note: The default value data of the said registry entry is user-defined.)
It modifies registry entries to disable the following system services:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\BITS
Start = "4"
(Note: The default value data of the said registry entry is 2.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv
Start = "4"
(Note: The default value data of the said registry entry is 2.)
Propagation
This worm creates the following folders in all removable drives:
It drops copies of itself into all the removable drives connected to an affected system.
It drops the following copy(ies) of itself in all removable drives:
It drops copies of itself into network drives.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
It uses the following user name and password to gain access to password-protected shares:
It exploits the following software vulnerabilities to propagate to other computers across a network:
Other Details
This worm connects to the following URL(s) to get the affected system's IP address:
It connects to the following time servers to determine the current date:
It modifies the following registry entries to hide Hidden files:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\
SHOWALL
CheckedValue = "0"
(Note: The default value data of the said registry entry is 1.)
It does the following:
It prevents users from visiting antivirus-related websites that contain the following strings:
8.900
7.733.00
28 Dec 2010
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 3
Search and delete AUTORUN.INF files created by WORM_DOWNAD.AD that contain these strings
Step 4
Scan your computer with your Trend Micro product to delete files detected as WORM_DOWNAD.AD. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 5
Download and apply this security patch Refrain from using these products until the appropriate patches have been installed. Trend Micro advises users to download critical patches upon release by vendors.
NOTES:
Trend Micro OfficeScan users are also urged to use the following features to protect from WORM_DOWNAD malware:
Enabling Device Access Control
Enabling USB Autoscan
For Trend Micro OfficeScan 10.6 SP1 and later, enable this Trend Micro OfficeScan feature, please refer to the following eSupport page:
Enabling Scan Network Drive
Enabling Web Reputation Service
Enabling Firewall Feature
Trend Micro OfficeScan users may also install and configure the Intrusion Defense Firewall (IDF) plugin to further prevent WORM_DOWNAD infections.
Configuring IDF to Protect from DOWNAD infections