Worried about the Conficker worm? A few simple steps can protect you.
Target: All users of Windows XP and Windows Vista.
The Conficker worm, sometimes called Downadup or Kido, has managed to infect a large number of computers. Specifics are hard to come by, but some researchers estimate that millions of computers have been infected with this threat since January. Systems with Symantec Endpoint Protection or Symantec AntiVirus are protected, since these products will detect and remove this worm. Users who lack protection are invited to download a trial version of Symantec Endpoint Protection. Symantec recommends using Network Threat Protection along with antivirus scanning in Symantec Endpoint Protection to proactively prevent the threat from being downloaded to a system.
New variant, Downadup.E, found in the wild
This new variant was found in the wild on April 8th, 2009. Detection was added in Rapid Release definitions with a sequence number of 93981 (April 8, 2009 rev. 25) as W32.Downadup. Security Response gave this variant its own detection starting in Rapid Release sequence 94023 (April 9, 2009 rev. 9). Our initial analysis showed this variant functions similarly to the original W32.Downadup variant. As noted in our blog, this new variant appears to be dropping W32.Waledac. Detection for this W32.Waledac sample was added in Rapid Release definitions with a sequence number of 93978 (April 8, 2009 rev. 22) For more information on this threat's functionality, see the Security Response write-up on W32.Downadup.E.
Downadup.C and April 1st
This new variant of the threat is specifically used to enhance the capabilities of previously infected machines. Computers which remain infected with a previous variant of the W32.Downadup family will download a copy of W32.Downadup.C to enhance the capability of the existing threat. Further details on the operation of earlier versions of the Downadup family are provided below in this document.
Some of the notable features of Downadup.C:
The previous versions of Downadup can spread in 3 different ways:
Attack Vector #1: Attack of a Windows Vulnerability
Downadup can infect a computer by attacking a particular vulnerability in Windows. This vulnerability was announced by Microsoft in October 2008, and MS issued a patch for the vulnerability at that time. However, many Windows users have still not installed this patch from Microsoft. All such unpatched users are vulnerable to attack from Downadup. An unpatched computer can become infected with Downadup simply by connecting to a network that has at least one infected machine. Any machine which has applied the Microsoft patch is not susceptible to this particular method of attack.
Attack Vector #2: Drive sharing
In corporations, many people share files with their colleagues by turning on the Windows "drive sharing" feature. This feature allows a user to connect directly to another user's hard drive to copy or edit files. Downadup exploits Windows drive shares. Once it has infected a computer inside a corporation, Downadup automatically copies itself to all visible open drive shares on other computers inside the corporate network.
Attack Vector #3: USB drives
Downadup can also spread from one computer to the next through USB drives (e.g., thumb drives). If a user's computer becomes infected with Downadup, and then the user puts a USB key into the computer, Downadup automatically copies itself to the USB drive. When the infected USB drive is inserted into another machine, Downadup automatically runs from the USB drive and infects the new computer.
Protection Details (Am I protected?)
Yes, if you are running either a Symantec Corporate antivirus product (Symantec AntiVirus or Symantec Endpoint Protection) or a Norton AntiVirus product (Norton Internet Security, Norton AntiVirus, or Norton 360) with definitions dated March 6th 2009 revision 36 or later. The following Symantec writeups describe the signatures that provide immediate protection against the current known variants:
Symantec Intrusion Protection System protects customers from this threat using the following signatures:
Additional recommended measures
Detailed Symantec Protection Notes
Symantec client security products have two basic levels of protection for Downadup:
Remediation: If you have infected computers
Run Symantec Endpoint Protection, Symantec Multi-tier Protection, or Symantec Multi-Tier Protection Small Business Edition to protect your endpoints from this threat.
You can also exchange ideas and developments on Downadup in the SymConnect Forums.
Detailed blogs on Downadup and other malicious programs can be found on Symantec's Malware Blog. Additional details can be found in the Security Response white paper, The Downadup Codex.
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
This will clear the history and restart the chat.