Introduction
W32.Downadup.B (according to Symantec EndPoint), also known as Win32/Conficker.B by McAfee or some antivirus program called Net-Worm.Win32.Kido.ih is a worm that spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874). It is a worm that predominantly spreads via exploiting the MS08-067 Windows vulnerability, but also attempts to spread to network shares by brute-forcing commonly used network passwords and by copying itself to removable drives.
Also Known As:
- Worm:W32/Downadup.AL [F-Secure]
- Win32/Conficker.B [Computer Associates]
- W32/Confick-D [Sophos]
- WORM_DOWNAD.AD [Trend]
- Net-Worm.Win32.Kido.ih [Kaspersky]
- Conficker.D [Panda Software]
System Affected
- Windows 95, Windows 98, Windows Me, Windows NT
- Microsoft Windows 2000 Service Pack 4
- Windows XP Service Pack 2 and Windows XP Service Pack 3
- Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
- Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
- Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
- Windows Server 2003 with SP1 (Itanium-based Systems) and Windows Server 2003 with SP2 (Itanium based Systems)
- Windows Vista and Windows Vista Service Pack 1
- Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
- Windows Server 2008 32-bit Systems (Windows Server 2008 Server Core installation affected)
- Windows Server 2008 x64-based Systems (Windows Server 2008 Server Core installation affected)
- Windows Server 2008 (Itanium-based Systems)
- Windows 7 Pre-Beta
Symptoms
Once the infection is running, it will then perform the following actions in no specific order :
- Stop and start System Restore in order to remove all your current System Restore points so that you cannot roll back to a previous date where your computer was working properly.
- Anti-malware software stating you are infected with infections using the Also Known As above
- Next the worm stops both of the following Windows services:
– Background Intelligent Transfer Service (BITS)
– Windows Automatic Update Service (wuauserv) : Automatic updates no longer working - It then creates a scheduled job on the remote server to run daily consisting of the following command:
“rundll32.exe [random file name].dll, [random parameter string]” - Anti-virus software is no longer able to update itself
- Unable to access a variety of security sites, such as anti-virus software companies
- Random svchost.exe errors
W32.Downadup.B Removal Tools
- McAfee Conficker Detection Tool (update Dec,15 2017 – not found at https://www.mcafee.com/us/downloads/free-tools/index.aspx) try to used McAfee Stinger
- Symantec W32.Downadup Removal Tool
- Norton Power Erase (NPE)
- Windows Malicious Software Removal Tool
How to Remove W32.Downadup.B
- Scan network to detect the system is infected with W32/Conficker.worm by McAfee Conficker Detection Tool,
scanning a range of IP Addresses to find the infected computers and cleanup later. - If possible restart the infected windows into Safe Mode (F8) and scanning this worm with Symantec W32.Downadup Removal Tool (D.exe) and Norton Power Eraser *.
Because NPE uses aggressive methods to detect threats, there is a risk that it can select some legitimate programs for removal. You should use this tool very carefully. In the case, try to remove only the [random file name].dll and unknown window services name. - Running the latest version of Windows Malicious Software Removal Tool to scanning and prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove the infection if it is found.
- Both W32.Downadup Removal Tool and Norton Power Eraser require restart windows
- Apply the MS08-067 security patch and restart the computer
- Run the removal tool in step 2. again to ensure that the system is clean.
- Run LiveUpdate to make sure that you are using the most current virus definitions.
- Repeat step 2. to 7. until completed infected computer in step 1.
- Scan network in step 1. again to ensure that don’t have the infected system. When the tool has finished running, you will see a message indicating whether the threat has infected the computer.
The tool displays results similar to the following
* On some computers (Windows Server 2003, 2003 SP1) cannot run NPE, so you can skip it and use another removal tools.
Resources
- http://www.symantec.com/security_response/writeup.jsp?docid=2008-123015-3826-99&tabid=2 – Symptoms (more details)
How to remove W32.Downadup.B (Symantec)