How did Downadup infect my PC?
Downadup is a worm that takes advantage of several infection vectors. Worse, since it can hide on thumb drives or attack through Windows networks, reinfection is a real risk.
How downadup spreads
It spreads in four ways:
- By exploiting an unpatched Windows PC connected to a network.
- Brute force dictionary attack against administrator password cracking a weak password.
- By an infected mapped/removable drive stick ("thumb drive").
- Using Windows scheduled tasks and Autorun to reinfect cleaned PCs.
Once it finds a victim, it:
- Copies itself into the Windows system folder (e.g. C:\Windows\System32).
- Modifies the Windows registry.
- Changes access rights and registry keys so users can't change or delete them.
- Sets itself to restart when Windows starts.
- Connects to a public IP address site (for example http://www.getmyip.org/) to find the IP address of your computer.
- Downloads modified versions of itself from a long list of web sites - based on time and date and difficult to predict.
- Starts a web server on a random port of your PC to host a copy of the modified worm.
Downadup learns to thumb
One of these new versions taught the virus a new trick. It operates by copying itself in a random folder created inside the Recycle Bin system folder. It then creates an autorun.inf file in the root folder, which executes automatically if the Autorun feature is enabled.
Once infected, you may find your access to virus software update sites, Microsoft updates, and other web locations. Because the worm may use multiple login attempts trying to guess network passwords, you may also find yourself locked out of your own local network.
[ Back to top ]
Downadup in action
This is a typical autorun.inf file created by Conficker. The social engineering trick comes from the first two keywords (Action and Icon). When you put this in a Vista machine with default settings, an Autoplay window will pop up asking you what to do, as shown below:
So, as you can see, the first part, "Install or run program" is there because Vista detected an autorun.inf file containing the shellexecute keyword. However, the text comes from the Action keyword and the icon is extracted from shell32.dll (the 4th icon in the file) - and it's the standard folder icon!
Graphic and text by SANS, available under a Creative Commons Attribution-Noncommercial 3.0 License.
[ Back to top ]
AutoPlay in Action on Windows XP
Microsoft Windows includes an AutoRun feature, which can automatically run code when removable devices are connected to the computer. AutoRun (and the closely related AutoPlay) can unexpectedly cause arbitrary code execution in the following situations:
- A removable device is connected to a computer. This includes, but is not limited to, inserting a CD or DVD, connecting a USB or FireWire device, or mapping a network drive. This connection can result in code execution without any additional user interaction.
- A user clicks the drive icon for a removable device in Windows Explorer. Rather than exploring the drive's contents, this action can cause code execution.
- The user selects an option from the AutoPlay dialog that is displayed when a removable device is connected.
Some related terms
- Computer Virus
- A program which can be transmitted between computers via networks (especially the Internet) or removable storage such as CDs, USB drives, floppy disks, etc., generally without the knowledge or consent of the recipient. Results may range from nothing noticeable to deliberate damage to systems and data. The traditional view is that the program must be able to replicate itself to qualify.
- Worm
- A self-replicating program that propagates widely through a network.
- Malware
- Software developed for the purpose of causing harm to a computer system. Blend of 'malicious' and 'software'
- Trojan
- Software that appears to perform or actually performs a desired task for a user while performing a harmful task without the user's knowledge or consent. From the phrase "trojan horse".
[ Back to top ]
