Cleaning WORM_DOWNAD using ServerProtect

  • Updated:
    • 22 Apr 2016
  • Product/Version:
    • ServerProtect for Microsoft Windows/Novell Netware 5.8
  • Platform:
    • Windows 2000 Advanced Server
    • Windows 2000 Server
    • Windows 2003 Enterprise Server
    • Windows 2003 Standard Server Edition
    • Windows 7 32-bit
    • Windows 7 64-bit
    • Windows Vista 32-bit
    • Windows XP Professional
Summary

WORM_DOWNAD, WORM_DOWNAD.AD, and WORM_DOWNAD.KK malware causes the following unauthorized behavior:

  • Connects to various time servers to determine the current date and time
  • Registers itself as a system service to ensure auto execution every startup
  • Deletes a registry key to prevent system startup in safe mode
  • Terminates security-related processes (i.e. procexp, regmon, autoruns, gmer etc.)
  • Blocks access to security and antivirus websites
  • Generates 50,000 malicious URLs and attempts to connect to around 500 random generated URLs at a time
  • Disables services, such as Windows Automatic Update Service (wuauserv)
  • Causes high traffic on affected system's port 445 upon successful exploitation
  • Creates [random filename].dll and autorun.inf in all mapped drives
  • Creates [random filename].dll and autorun.inf on Internet Explorer and movie maker folder under the program files directory
  • Hides hidden files in Folder Options
  • Attempts to connect to several URLs to download a file that indicates the location of the affected system
  • Users cannot login using their windows credentials because it is locked out
Details
Public

ServerProtect for Windows (SPNT) 5.x

  1. Apply Microsoft Security Patch MS12-054.
  2. Update the Serverprotect Information Server with the latest components and then deploy these to the Normal Servers:
    1. Virus pattern file (lpt$vpn.xxx).

      Select Enterprise Pattern from the list.

    2. Scan engine
  3. Use the latest Sysclean tool to clean WORM_DOWNAD. 
  4. Machines that are infected with WORM_DOWNAD require reboot to be completely cleaned.

For the latest information on Worm_Downad, visit Trend Micro's Threat Encyclopedia.

Premium
Internal
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.