Worm infects over three million PCs since New Year

The Downadup worm has spread to more than three million PCs.

 

F-Secure previously issued a warning about the worm, which is also known as the Conficker, and claimed that several reports had been received of corporate networks being infected with variants of this worm since the New Year.

 

The company identified a total of 3,521,230 infections worldwide on Wednesday afternoon with one million infections made since an approximate count was made on Tuesday of 2.4 million infections.

 

Analysis of the code by security watchers at the Internet Storm Centre has revealed that the use of social engineering ruses means that users plugging an infected drive into a Windows machine might be fooled into thinking they are only opening a folder when they are actually clicking to run the worm's viral payload.

 

BitDefender claimed that the worm uses USB sticks to infect other computers and operates by copying itself in a random folder created inside the recycler directory. This is used by the Recycle Bin to store deleted files, and create an autorun.inf file in the root folder. The worm executes automatically if the Autorun feature is enabled.

 

It also said that the Win32.Worm.Downadup.B malware comes with a domain name generation algorithm similar to the one found in botnets such as Rustock. It composes 250 domains every day and checks some of them for updates or other files to download and install.

 

Viorel Canja, head of BitDefender anti-malware labs, said: “This malware exploits the fact that many people do not patch their systems. With its updated configuration and good protection scheme, this worm could become a rival to already established botnets like Storm or Srizbi.”

 

Ben Greenbaum, a senior research manager for Symantec Security Response, said: “None of these are terribly new tactics, to be perfectly frank; the virus will calculate a number of different domain names and attempt to connect to them. Every day, it will try to contact all of these. All [the malware writers] need to do is register one of these domains and control them for one day. An up-to-date anti-virus solution should detect the worm.

 

 

 

 

 

Meanwhile Microsoft's Malicious Software Removal Tool has been upgraded so it can remove the worm that tries to download malicious software. The company issued an emergency patch, outside of its usual cycle, on 23 October for Windows 2000, XP, Vista, Server 2003 and Server 2008.

 

The company is recommending that administrators run an MSRT scan, for those already infected it has given instructions for how to download the tool with a clean machine and then distribute it.

Sign up to our newsletters