WORM_DOWNAD.A
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Dropped by other malware, Propagates via software vulnerabilities
To get a one-glance comprehensive view of the behavior of this Worm, refer to the Threat Diagram shown below.
This worm may arrive bundled with malware packages as a malware component. It may be downloaded by other malware/grayware/spyware from remote sites. It may be dropped by other malware.
It exports functions used by other malware. It checks the operating system name of the affected computer.
TECHNICAL DETAILS
Connects to URLs/IPs, Downloads files
Arrival Details
This worm may arrive bundled with malware packages as a malware component.
It may be downloaded by other malware/grayware/spyware from remote sites.
It may be dropped by other malware.
Autostart Technique
This worm modifies the following registry entry(ies) to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random service name}
Image Path = "%System Root%\system32\svchost.exe -k netsvcs"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random service name}\Parameters
ServiceDll = "{malware path and file name}"
Download Routine
This worm connects to the following website(s) to download and execute a malicious file:
- http://{BLOCKED}converter.biz/4vir/antispyware/loadadv.exe
Other Details
This worm exports functions used by other malware.
It connects to the following URL(s) to get the affected system's IP address:
- http://checkip.dyndns.org
- http://getmyip.co.uk
- http://www.getmyip.org
It checks the operating system name of the affected computer if it is any of the following:
- Windows 2000
- Windows XP
- Windows Server 2003
- Windows Server 2003 R2
NOTES:
This worm drops a copy of itself Windows system folder using a random file name with the .DLL extension. This technique prevents dropping of several copies of itself on already affected systems. It also locks its dropped copy to prevent users from reading, writing, and deleting it.
It sets the creation time of the file similar to that of the creation time indicated in the legitimate Windows file KERNEL32.DLL, which is also located in the Windows system folder. It does this prevent itself from getting noticed as a newly added file on the affected system. It also creates the mutex Global\{random}.
If the system has any of the aforementioned operating systems, this worm continues with its routines. If the affected system has a different operating system, this worm checks for SERVICES.EXE in the list of running processes. If it finds the said process, it loads itself into the said process.
It also adds an entry in the value data list of the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SvcHost
The added value data is the random service name this worm creates.
This worm propagates in two ways from which they are achieved by taking advantage of a vulnerability discovered in certain Microsoft operating systems that could allow remote code execution if an affected system received a specially crafted RPC request, which also contains a shellcode. More information on the said vulnerability can be found in the following link:
- . Download, extract, and run the said fixtool in the same folder where your latest live casino online pattern file is located. For more details, refer to the fixtool's incorporated text file.
MANUAL REMOVAL INSTRUCTIONS
Step 2
Scan your computer with your live casino online product to delete files detected as WORM_DOWNAD.A. If the detected files have already been cleaned, deleted, or quarantined by your live casino online product, no further step is required. You may opt to simply delete the quarantined files. Please check this for more information.