jump to navigation

Be careful of the Downadup virus January 22, 2009

Posted by Mike in End User Computing.
Tags: , , , , , , ,

Yes, there’s another virus out there. 

January 21, 2009 (Computerworld) The computer worm responsible for the biggest attack in years has infected at least one out of every 16 PCs worldwide, a security company said today, and it may have managed to compromise as many as nearly one in three.

According to Panda Security, almost 6% of the Windows systems scanned with its antivirus technology were found to be infected with “Downadup,” a worm that began aggressive attacks just over a week ago.


Some quick facts about the virus:

A computer can be infected by possible three means:
1) if not patched with the latest security updates (in this case if MS08-67 vulnerability is not patched), by an already infected computer in the local network
2) if the administrator account of the computer has a weak password (brute force dictionary attack against administrator password is used)
3) if the computer has the Autoplay feature enabled and an infected mapped/removable drive stick is attached.

Once gained execution this worm does the following actions:
* hooks NtQueryInformationProcess from ntdll.dll inside the running process
* creates a named Mutex based on the computer name
* injects intself into one of the following processes:
          * explorer.exe
          * svchost.exe

Here’s the full story from http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9126482&intsrc=hm_list



1. Mike - January 28, 2009

Along the lines of viruses, there’s a trojan floating around in unauthorized copies of Apple’s iWork 09 productivity suite (will effect OSX only, not Windows). It requires the user to give it the root password to work, however it’s done under the cover of seemingly installing the application.

Once you download the program from a bit torrent type website, you would normally run a crack application to make the software work without an authorized SN. Instead, this crack application installs a back door with a randomized name in the /var/tmp directory. It then asks for the root password to operate the backdoor. Once it has root & an internet connection, the computer can be operated remotely without the user knowing.

2. Phil Barnhart - February 1, 2009

Not only can this virus disrupt your PC, since it can disable your ability to connect to software update sites it leaves you vulnerable to even more malware. You need to do more than simply disable Autorun if you already have this virus! Tools and links to help fix are available at http://www.downadup.com

3. Mike - February 2, 2009

Thank you Mr. Barnhart for the additional information about this “Windows Sniffle” going around.

As with any website, it’s always important to make sure you’re going to a place that will solve your problem. At this time I can’t vouch for the validity of http://www.downadup.com however Mr. Barnhart is welcome to contact me to do so.

My suggestion to my readers is to stick to the well known, commercial virus removal company websites. Feel free to contact me or your local personal computer specialist for more information.

4. Take virus warnings serious! « All aspects of end user computing - February 8, 2009

[…] 8, 2009 Posted by Mike in End User Computing. trackback Back on January 22nd I blogged about the downadup virus. I came across another article from http://www.telegraph.co.uk that really caught my attention and made me […]

Sorry comments are closed for this entry

%d bloggers like this: