January 20, 2011


This is the latest variant of Worm_Downad.It exploits software vulnerabilities to propagate to other computers across a network. This Worm may be downloaded by other malware/grayware/spyware from remote sites. It may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

1) It creates a file with a random filename under with .DLL extension in system folder.

2) It is injected into the following processes running in memory:
  • services.exe
  • svchost.exe -k NetworkService
3) It adds the following mutexes to ensure that only one of its copies runs at any one time:
  • Global\{random number}-{random number}
 4) This Worm registers as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{service name}
    ImagePath = "%System%\svchost.exe -k netsvcs"

  • KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{service name}\Parameters
    ServiceDll = "{malware path and file name}"
5) It deletes the windows defender registry key and all the related entries of Security Applications
6) It mainly exploits the Server Service Vulnerability like its parent version that could allow remote code execution.

7) It downloads routines from different malicious websites
8) It monitors browsers address bar and blocks access to certain websites.


Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog



Twitter Delicious Facebook Digg Stumbleupon Favorites More