The massive number of WORM_DOWNAD.AD infections would make it one of the more memorable outbreak worms, and clearly a destructive one, in an age when malware are mostly geared for profit. Poor patch management, weak passwords, and the propagation routines of the worm itself are main factors in its continuing upsurge.
Figure 1. WORM_DOWNAD.AD infections are a global concern.
The North American region has the most number of infected PCs, with users from the United States being hit the most. Japan, China, and Taiwan are also major DOWNAD-affected countries. In Europe, Italy and Spain have the most infections.
Users observe the following symptoms when they are infected with WORM_DOWNAD.AD:
- Blocked access to antivirus-related sites
- Disabled services such as Windows Automatic Update Service
- High traffic on affected system’s port 445
- Hidden files even after changes in Folder Options
- Inability to log in using Windows credentials because they are locked out
A .DLL file with random file names and autorun.inf also appear in all mapped drives, and in Internet Explorer and Movie Maker folders under the Program Files directory.
The worm locks its dropped copy to prevent users from reading, writing, and deleting the malicious file.
It also makes several registry changes to allow simultaneous network connections. By re-infecting machines, this worm manages to keep its malicious activities going on. One of the prominent reasons for its success in global diffusion (details were described in our last Security Policy for Dummies previous blog entry) is its multiple propagation routines: it spreads by exploiting a Microsoft OS vulnerability, via network shares, or via removable and network drives.
Figure 2. WORM_DOWNAD.AD infection diagram.
An earlier DOWNAD worm variant also raised havoc among online users. Exploiting the same operating system vulnerability, WORM_DOWNAD.A infected more than 500,000 unique hosts around the globe. This infection threat closely followed the shutdown of spam giant McColo, with evidence that cybercriminals are using the worm to developa new botnet.
Both variants of this worm family also exhibit the following routines:
- Connecting to certain legitimate sites to retrieve dates
- Generating URLs after certain date criteria are met, which the worms compute from certain strings in the said legitimate URLs
- Appending of .biz, .info, .org, .net, or .com to the generated URLs
Patching systems and programs as soon as fixes are made available and disabling autorun are two of the most important actions required to reduce the risk of infection, infection propagation or reinfection with variant updates.
Cleanup instructions and technical details can be followed in Trend Micro’s Virus Encyclopedia.