WORM_DOWNAD, WORM_DOWNAD.AD, and WORM_DOWNAD.KK malware causes the following unauthorized behavior:
- Connects to various time servers to determine the current date and time
- Registers itself as a system service to ensure auto execution every startup
- Deletes a registry key to prevent system startup in safe mode
- Terminates security-related processes (i.e. procexp, regmon, autoruns, gmer etc.)
- Blocks access to security and antivirus websites
- Generates 50,000 malicious URLs and attempts to connect to around 500 random generated URLs at a time
- Disables services, such as Windows Automatic Update Service (wuauserv)
- Causes high traffic on affected system's port 445 upon successful exploitation
- Creates [random filename].dll and autorun.inf in all mapped drives
- Creates [random filename].dll and autorun.inf on Internet Explorer and movie maker folder under the program files directory
- Hides hidden files in Folder Options
- Attempts to connect to several URLs to download a file that indicates the location of the affected system
- Users cannot login using their windows credentials because it is locked out
ServerProtect for Windows (SPNT) 5.x
- Apply Microsoft Security Patch MS12-054.
- Update the Serverprotect Information Server with the latest components and then deploy these to the Normal Servers:
- Use the latest Sysclean tool to clean WORM_DOWNAD.
- Machines that are infected with WORM_DOWNAD require reboot to be completely cleaned.
For the latest information on Worm_Downad, visit Trend Micro's Threat Encyclopedia.