The DOWNAD/Conficker Worm and Clean up best practice


The first samples for the Conficker/Kido/DownadUp (detected by Trend Micro as WORM_DOWNAD.A) were discovered in November 2008 with new samples (detected as WORM_DOWNAD.AD and WORM_DOWNAD.KK) arriving in early 2009. DOWNAD exploits a vulnerability in Windows that Microsoft patched (MS08-067) in October.

DOWNAD.AD added the ability to spread through network shares and removable storage devices (e.g. USB drives) using the AutoRun function in Windows.

DOWNAD.KK shuts down security services, blocks infected computers from connecting to security websites, and downloads a Trojan. It also reaches out to other infected computers via peer-to-peer communications services, and includes an algorithm to update infected PCs.

What’s the goal of this worm?

It appears that the goal of this worm is to create a large botnet of infected PCs so that its creators may at some point send spam, steal personal information (user IDs, passwords, credit card info, etc.) and direct users to malicious websites used for phishing or downloading additional malware.

What’s happening on April 1st?

On April 1st, 2009, the latest variant (WORM_DOWNAD.KK) will begin to modify the way in which it communicates with other infected botnet nodes (PCs, servers), and will also increase the number of machines it attempts to contact in order to infect them. There is no evidence that the worm will do anything beyond modifying its communications methods.

How do I know whether my PC is infected?

Scan your PC using your Trend Micro product or HouseCall to see whether you are infected. If you discover that you are infected, find instructions for removal below: · Consumers · Small Business · Medium Business, Enterprise

How do I protect my PC from being infected? 

– Immediately install patches/updates for MS08067 and other vulnerabilities as soon as vendors release these patches. Configure your PC to receive automatic updates and patches from Microsoft and software vendors.

– Make sure your security software is up to date.

– Disable the “Drive Auto-run” feature to avoid infections from USB drives.

– Employ secure passwords using a combination of letters, numbers and symbols and frequently change them.

– Take caution when searching online for DOWNAD and Conficker information. There are reports of rogue antivirus packages that are taking advantage of the situation. They will tell you that you are infected and ask you to pay money to download their application, which in many cases turns out to be malware.

Additional Information:

Trend Micro CounterMeasures blog: Downad/Conficker, who’s the April Fool?

· TrendLabs Malware Blog: What Will Go DOWNAD on April 1?

· Latest Variant: WORM_DOWNAD.KK Additionally, this threat is an example of the new breed of Web threats being developed by cybercriminals who use multiple techniques and protocols to infect and propagate their attacks. The Trend Micro Smart Protection Network blocks threats before they can enter your network and our correlated in-the-cloud web, email and file reputation databases allow us to quickly analyze and block new threats as they appear. Smart Protection Network powers many of our consumer, SMB and Enterprise solutions today.

I have got the article from here.


Clean up the virus best practice

1. Download Microsoft update MS 080-067. In section download please type “KB958644”. Choose patch which match with your operating system and install it to your pcs/servers.

2. Download Trend Micro FixTool.

3. Extract/unzip the files to C:\Sysclean-WORM_DOWNAD folder.

4. Download the latest virus definition pattern and extract it to C:\Sysclean-WORM_DOWNAD folder.

5. Download Spyware ssapiptn.da5 pattern and extract it to C:\Sysclean-WORM_DOWNAD folder.

6. Disconnect pc/server from networking

7. Run / double click the Fix.bat from to C:\Sysclean-WORM_DOWNAD folder. Follow the step.

8. Reconnect PC/Servers to network.


One Response to The DOWNAD/Conficker Worm and Clean up best practice

  1. Ludie says:

    I have read so many articles regarding the blogger lovers but this paragraph is in fact a fastidious post,
    keep it up.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s