Worm:W32/Downadup.gen, W32/Conficker.worm.gen, Mal/Conficker, Worm: Win32/Conficker
Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. The worm uses a combination of advanced malware techniques which has made it difficult to counter, and has since spread rapidly into what is now believed to be the largest computer worm infection since the 2003 SQL Slammer.
Bitdefender said, that Win32.Worm.Downadup is a worm that relies on the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (MS08-67) in order to spread on other computers in the local network. The authors took various approaches to make this malware especially fast spreading and hard to remove.
This malware always comes wrapped in an obfuscated layer which aims at deterring analysis. The layer can be in two flavors, either packed with UPX or not packed, but it is always obfuscated and uses various rarely used apis to break emulators. The real malware is contained inside in an encrypted form. It is packed with a standard upx version, but to deter unpacking it is never written on disk and it doesn’t have the PE header which makes it appear as an invalid executable. This has the side effect of being undetectable when injected into another process, it just looks as standard memory allocated page. read more here..
This is very very annoying virus that I ever found before. it infected my laptop during troubleshooting on customer’s site. I installed Avira with latest patch already, but Avira only give me popup notification window that virus found on my laptop; can’t remove it.
I try to run “start update” menu, but it failed. It quit strange because I can’t open almost all antivirus website.
read the discussion about this virus here:
www.symantec.com/connect/forums/w32downadup
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
www.bitdefender.com/site/Downloads/downloadFile/1584/FreeRemovalTool
Can’t open these website?? and also other antivirus website (symantec.com, bitdefender.com, etc)? probably your laptop/PC infected too :-)
try to open these URL using Anonymous Proxy. Zend Proxy is the good one.
just copy paste the URL on Zend Proxy website, then click ‘Go’ button. It work?? Okay, lets clean up this Virus.
1. first of all, disable or turn of Windows System Restore. Right click on ‘My Computer’ Icon >Properties >System Restore.
2. download (using anonymous proxy if you are infected) and run Downadup Removal Tool from BitDefender, here the link:
http://www.bitdefender.com/site/Downloads/downloadFile/1584/FreeRemovalTool
http://www.4shared.com/get/115879120/4d838228/dcleaner.html
http://www.softpedia.com/get/Antivirus/Win32-Worm-Downadup-Removal-Tool-SoftWin.shtml
3. Download also Kaspersky Kido Killer:
http://www.2shared.com/file/5262929/556a6d09/kido_killer.html
4. reboot.
Other useful link about this Virus:
This is a MS-KB on the removal process/best practice of w32.downadup.B
http://support.microsoft.com/kb/962007
MS08-67 patch download
http://www.microsoft.com/downloads/results.aspx?pocId=&freetext=ms08-067&DisplayLang=en
http://www.4shared.com/get/95979144/96691f81/WindowsXP-KB958644-x86-ENU.html
For detailed information about the Conficker virus, visit the following Microsoft Web page:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fConficker
Microsoft Knowledge Base article to manually remove the malware from the system:
http://support.microsoft.com/kb/962007&b=10#Manualsteps
http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.D
I managed to remove it by using MalwareFox too.