M December 02, 2008 Virus Alert - WORM_DOWNAD.A
WORM_DOWNAD.A
   
Virus type: Worm
Destructive:  No
Aliases: No Alias Found
Pattern file needed: 5.679.00
Scan engine needed: 8.500
Overall risk rating: Low
Reported infections: Low
Damage Potential: High
Distribution Potential: High

Description :

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

WORM_DOWNAD.A Behavior Diagram

Malware Overview

This .DLL worm may be downloaded from remote sites by other malware. It may be dropped by other malware. It may also arrive bundled with malware packages as a malware component.

It is a file stored in the Windows system folder and is capable of exporting functions used by other malware.

Once executed, it connects to certain Web sites to download possibly malicious files. It resolves the host name by attempting to obtain the machine's IP address by accessing certain URLs.

This worm also propagates by taking advantage of a vulnerability discovered in certain Microsoft operating systems that could allow remote code execution if an affected system received a specially crafted RPC request. More information on the said vulnerability can be found in the following link:

Solution :

TREND MICRO SOLUTION

Users of Trend Micro PC-cillin Internet Security and Network VirusWall can detect this exploit at the network layer with Network Virus Pattern (NVP) 10271, or later.

Download the latest NVW pattern file from the following site:

MANUAL REMOVAL INSTRUCTIONS

Identifying the Malware Files

  1. Scan your computer with your Trend Micro antivirus product.
  2. Note the path and file name of all files detected as WORM_DOWNAD.A.

Trend Micro customers need to download the latest virus pattern file before scanning their computer. Other users can use Housecall, the Trend Micro online threat scanner.

Important Windows XP Cleaning Instructions

Users running Windows XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set.

Restarting in Safe Mode

This malware has characteristics that require the computer to be restarted in safe mode. Go to this page for instructions on how to restart your computer in safe mode.

Removing the Autostart Key from the Registry

This solution deletes the registry key added by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. Click Edit>Find. In the Find dialog box, type the malware file name detected earlier, then click Find next.
    (Note: In the dialog box, make sure that only the Data box is selected.)
  3. Once found, in the right panel, check if the result is the following value-data pair:
    ServiceDll = "{malware path and file name}"
  4. If yes, check if the data is under the key Parameter in the left panel.
  5. If yes, locate the key where Parameter is under. Right-click on the located registry key in the left panel and press Delete.

Restoring Modified Entry from the Registry

  1. Still in Registry Entry, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    CurrentVersion>SvcHost
  2. Still in the left panel, locate the entry:
    netsvcs

  3. Right-click on the value name and choose Modify.

  4. In the Edit Multi-Sting window (shown below), locate and delete the value data that pertains to the service name of the file(s) detected earlier.

  5. Close Registry Editor.

Deleting the Malware File(s)

  1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
  2. In the Named input box, type the name(s) of the file(s) detected earlier.
  3. In the Look In drop-down list, select My Computer, then press Enter.
  4. Once located, select the file then press SHIFT+DELETE.
*NOTE: This malware is a .DLL file that may come with a main component detected by Trend Micro as another malware. It may also be used by several variants of a certain malware family. If your Trend Micro product detects another malware on your system, refer to the manual removal instructions of that detected malware.

Applying Patch

This malware exploits a known vulnerability in Windows. Download and install the fix patch supplied by Microsoft. Refrain from using this product until the appropriate patch has been installed. Trend Micro advises users to download critical patches upon release by vendors.

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC.


For additional information about this threat, see Technical Details.