How to remove Worm Downadup Conficker

Worm:W32/Downadup.gen, W32/Conficker.worm.gen, Mal/Conficker, Worm: Win32/Conficker

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. The worm uses a combination of advanced malware techniques which has made it difficult to counter, and has since spread rapidly into what is now believed to be the largest computer worm infection since the 2003 SQL Slammer.

(Wikipedia)

Bitdefender said, that Win32.Worm.Downadup is a worm that relies on the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (MS08-67) in order to spread on other computers in the local network. The authors took various approaches to make this malware especially fast spreading and hard to remove.

This malware always comes wrapped in an obfuscated layer which aims at deterring analysis. The layer can be in two flavors, either packed with UPX or not packed, but it is always obfuscated and uses various rarely used apis to break emulators. The real malware is contained inside in an encrypted form. It is packed with a standard upx version, but to deter unpacking it is never written on disk and it doesn’t have the PE header which makes it appear as an invalid executable. This has the side effect of being undetectable when injected into another process, it just looks as standard memory allocated page. read more here..

This is very very annoying virus that I ever found before. it infected my laptop during troubleshooting on customer’s site. I installed Avira with latest patch already, but Avira only give me popup notification window that virus found on my laptop; can’t  remove it.
I try to run “start update” menu, but it failed. It quit strange because I can’t open almost all antivirus website.

read the discussion about this virus here:

www.symantec.com/connect/forums/w32downadup
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
www.bitdefender.com/site/Downloads/downloadFile/1584/FreeRemovalTool

Can’t open these website?? and also other antivirus website (symantec.com, bitdefender.com, etc)? probably your laptop/PC infected too :-)

try to open these URL using Anonymous Proxy. Zend Proxy is the good one.

just copy paste the URL on Zend Proxy website, then click ‘Go’ button. It work?? Okay, lets clean up this Virus.

1. first of all, disable or turn of Windows System Restore. Right click on ‘My Computer’ Icon >Properties >System Restore.

2. download (using anonymous proxy if you are infected) and run Downadup Removal Tool from BitDefender, here the link:

http://www.bitdefender.com/site/Downloads/downloadFile/1584/FreeRemovalTool

http://www.4shared.com/get/115879120/4d838228/dcleaner.html
http://www.softpedia.com/get/Antivirus/Win32-Worm-Downadup-Removal-Tool-SoftWin.shtml

scanscan_anti_downup

3. Download also Kaspersky Kido Killer:

http://www.2shared.com/file/5262929/556a6d09/kido_killer.html

scan_kido1

4. reboot.

Other useful link about this Virus:

This is a MS-KB on the removal process/best practice of w32.downadup.B
http://support.microsoft.com/kb/962007

MS08-67 patch download
http://www.microsoft.com/downloads/results.aspx?pocId=&freetext=ms08-067&DisplayLang=en
http://www.4shared.com/get/95979144/96691f81/WindowsXP-KB958644-x86-ENU.html

For detailed information about the Conficker virus, visit the following Microsoft Web page:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fConficker

Microsoft Knowledge Base article to manually remove the malware from the system:
http://support.microsoft.com/kb/962007&b=10#Manualsteps
http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.D

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s