Malware type: Worm

Aliases: Net-Worm.Win32.Kido.dam.y (Kaspersky), W32/Conficker.worm (McAfee), W32.Downadup (Symantec), Worm/Conficker.AC (Avira), W32/Downldr2.EXAE (exact) (F-Prot), Worm:Win32/Conficker.A (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 2000, XP, Server 2003, Vista

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:


Distribution potential:


Infection Channel 1 : Propagates via software vulnerabilities


To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

WORM_DOWNAD.A Behavior Diagram

Malware Overview

This .DLL worm may be downloaded from remote sites by other malware. It may be dropped by other malware. It may also arrive bundled with malware packages as a malware component.

It is a file stored in the Windows system folder and is capable of exporting functions used by other malware.

Once executed, it connects to certain Web sites to download possibly malicious files. It resolves the host name by attempting to obtain the machine's IP address by accessing certain URLs.

This worm also propagates by taking advantage of a vulnerability discovered in certain Microsoft operating systems that could allow remote code execution if an affected system received a specially crafted RPC request. More information on the said vulnerability can be found in the following link:

For additional information about this threat, see:

Description created: Nov. 24, 2008 2:59:58 PM GMT -0800


File type: PE

Size of malware: 62,976 Bytes

Ports used: Random TCP ports, TCP port 445 (Microsoft-DS)

Initial samples received on: Nov 21, 2008

Compression type: ACProtect, PECompact, UPX

Vulnerability used:  (MS08-067) Vulnerability in Server Service Could Allow Remote Code Execution (958644)

Payload 1: Downloads files



This .DLL worm may be downloaded from remote sites by other malware. It may be dropped by other malware. It may also arrive bundled with malware packages as a malware component.


This worm drops a copy of itself Windows system folder using a random file name with the .DLL extension. This technique prevents dropping of several copies of itself on already affected systems. It also locks its dropped copy to prevent users from reading, writing, and deleting it.

It is capable of exporting functions used by other malware.

It sets the creation time of the file similar to that of the creation time indicated in the legitimate Windows file KERNEL32.DLL, which is also located in the Windows system folder. It does this prevent itself from getting noticed as a newly added file on the affected system. It also creates the mutex Global\{random}.

It then checks if the operating system version of the affected system is any of the following:

  • Windows 2000
  • Windows XP
  • Windows Server 2003
  • Windows Server 2003 R2

If the system has any of the aforementioned operating systems, this worm continues with its routines. If the affected system has a different operating system, this worm checks forSERVICES.EXE in the list of running processes. If it finds the said process, it loads itself into the said process.

Autostart Technique

This worm registers itself as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry keys and entries:

Services\{random service name}
Image Path = "%System Root%\system32\svchost.exe -k netsvcs"

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Services\{random service name}\Parameters
ServiceDll = "{malware path and file name}"

It also adds an entry in the value data list of the following registry key:

Windows NT\CurrentVersion\SvcHost

The added value data is the random service name this worm creates.

Propagation Routines

This worm propagates in two ways from which they are achieved by taking advantage of a vulnerability discovered in certain Microsoft operating systems that could allow remote code execution if an affected system received a specially crafted RPC request, which also contains a shellcode. More information on the said vulnerability can be found in the following link:

Once this specially crafted RPC request reaches its target vulnerable system, the shellcode is decrypted, and then retrieves certain APIs capable of downloading a copy of the worm from the affected system, which is already converted into an HTTP server. The affected system then opens a random TCP port, allowing the vulnerable machine to connect to itself using the following URL:

  • http://{IP address of the affected machine}:{random port}/{malware file name composed of random characters}

During this exploit, a high traffic on TCP port 445 is seen since this is the port that this worm uses.

When the copy of the worm is being downloaded from the affected system to the vulnerable system, the worm modifies its packet header to make itself appear as a harmless JPEG file, when in fact, it is actually an executable file. It does this to avoid detection by the network firewall or system security applications. If an unpatched system continues to receive malicious packets, the said system may eventually crash.

The downloaded copy of the worm is saved as X in the Windows system folder.

This worm is also capable of propagating over the Internet by attempting to send the exploit code to a random Internet address. It first broadcasts the opened random port that serves as an HTTP server so that it is accessible over the internet.

It then gets the external IP address of the system to check if it has direct connection to the Internet. This worm does the routine to launch the expoit code over the Internet if the affected system has a direct connection to the Internet by checking the external IP address and the configured IP address in the ethernet or modem driver.

It also attempts to connect any of the following URLs to know the IP address of the affected computer:

  • http://checkip.dyndns.org
  • http://getmyip.co.uk
  • http://www.getmyip.org

After getting the IP address of the system, this worm checks if the said IP address is valid and is not a local IP address. It also checks if the external IP address is the same with the configured IP address on the system.

Note that this worm makes the random port it uses available online by broadcasting the port over the Internet via an Simple Service Discovery Protocol (SSDP) request.

Download Routine

This worm connects to the following Web sites to download possibly malicious files:

  • http://{BLOCKED}converter.biz/4vir/antispyware/loadadv.exe

It also attempts to connect to http://www.{BLOCKED}d.com/download/geoip/database/GeoIP.dat.gz to download a file that indicates the location of the affected system. As of this writing, however, the said URL is inaccessible.

This worm also connects to created URLs where it can download and execute a file that is saved in the Windows system folder. It creates URLs by retrieving dates from the following Web sites:

  • ask.com
  • baidu.com
  • google.com
  • msn.com
  • www.w3.org
  • yahoo.com

Based on the dates, it then computes for strings to generate URLs. After computing, it then appends of any of the following strings to the computed URLs:

  • .biz
  • .info
  • .org
  • .net
  • .com

For example, if the computed sting is abcdef, the worm then appends either .biz, ,info, .org, .net, or .com to the string so the resulting URL may either be abcdef.biz, abcdef.info. abcdef.org, abcdef.net, or abcdef.com.

Note that this worm can only perform its payload if either of the following criteria has been met:

  • System year is after 2008 of any month and any day
  • System year is 2008 and before of any month and the day is not the second day of the month.

For example, this worm does not download a copy of itself if the system date is set to November 2, 2008; December 2, 2008; or March 2, 2007.

Affected Platforms

This worm runs on Windows 2000, XP, and Server 2003.

Analysis By: Jocelyn D. Racoma

Revision History:

First pattern file version: 5.670.01
First pattern file release date: Nov 21, 2008
Nov 23, 2008 - detected as TROJ_DISKEN.Z in OPR 5.671.00
Nov 24, 2008 - detected as TROJ_AGENT.AKX in OPR 5.673.00
Nov 26, 2008 - Renamed from TROJ_AGENT.AKX and TROJ_DISKEN.Z, which are detected in OPR 5.677.00
Nov 26, 2008 - added DCT OPR 992 in solution
Nov 28, 2008 - Modified Malware Report
Dec 1, 2008 - Modified Malware Report
Dec 9, 2008 - Complete Malware Report


Minimum scan engine version needed: 8.500

Pattern file needed: 6.159.00

Pattern release date: May 31, 2009

Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.



Users of Trend Micro PC-cillin Internet Security and Network VirusWall can detect this exploit at the network layer with Network Virus Pattern (NVP) 10271, or later.

Download the latest NVW pattern file from the following site:


Running Trend Micro Fixtool

Users may also opt to remove the malware from the system using this special Trend Micro fixtool. Download, extract, and run the said fixtool in the same folder where your latest Trend Micro pattern file is located. Users without Trend Micro products may also use this fixtool by following the detailed instructions inside the readme.txt file.

Applying Patch

This malware exploits a known vulnerability in Windows. Download and install the fix patch supplied by Microsoft. Refrain from using this product until the appropriate patch has been installed. Trend Micro advises users to download critical patches upon release by vendors.

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.