jump to navigation

Be careful of the Downadup virus January 22, 2009

Posted by Mike in End User Computing.
Tags: , , , , , , ,
comments closed

Yes, there’s another virus out there. 

January 21, 2009 (Computerworld) The computer worm responsible for the biggest attack in years has infected at least one out of every 16 PCs worldwide, a security company said today, and it may have managed to compromise as many as nearly one in three.

According to Panda Security, almost 6% of the Windows systems scanned with its antivirus technology were found to be infected with “Downadup,” a worm that began aggressive attacks just over a week ago.


Some quick facts about the virus:

A computer can be infected by possible three means:
1) if not patched with the latest security updates (in this case if MS08-67 vulnerability is not patched), by an already infected computer in the local network
2) if the administrator account of the computer has a weak password (brute force dictionary attack against administrator password is used)
3) if the computer has the Autoplay feature enabled and an infected mapped/removable drive stick is attached.

Once gained execution this worm does the following actions:
* hooks NtQueryInformationProcess from ntdll.dll inside the running process
* creates a named Mutex based on the computer name
* injects intself into one of the following processes:
          * explorer.exe
          * svchost.exe

Here’s the full story from http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9126482&intsrc=hm_list