This article is well worth reading. The Win32.Worm.Downadup is raging across the Internet, using new tricks to spread undetected. The worm spreads by exploiting a vulnerability in the Windows RPC Server Service and has infected millions of Windows PCs in the last two weeks. "From an estimated 2.4 million infected machines to over 8.9 million during the last four days," Toni Koivunen, an F-Secure researcher, wrote in the company's log. "That's just amazing." According to Koivunen, there are several different variants of Downadup running wild. The algorithm to create the domain names changes a bit between the variants. "We've been tracking the variant we believe to be most common [algorithm]. It creates 250 possible domains each day," he said. "We've registered some selected domains out of this pool and are monitoring the connections being made to them." A Worm by Another Name Also known as Conficker or Kido, the worm first appeared in late November, exploiting a vulnerability in Microsoft software to spread unhindered on local area networks. Its goal is to install rogue security software on infected computers. Microsoft issued a patch for the vulnerability, but many users haven't installed it, leaving them open for infection as the worm spreads through portable USB flash drives. "This malware exploits the fact that many people do not patch their systems," said Viorel Canja, head of BitDefender Anti-Malware Labs. "With its updated configuration and good protection scheme, this worm could become a rival to already established botnets like Storm or Srizbi." Watch Those Thumb Drives In late December, BitDefender Labs uncovered a new version of the worm called Win32.Worm.Downadup.B. The malware features some enhancements along with the distribution routine. Specifically, the worm uses USB thumb drives to infect other computers. It does this by copying itself in a random folder created inside the recycler directory. The Recycle Bin uses the recycler directory to store deleted files and create an autorun.inf file in the root folder. When the Autorun feature is enabled, the worm executes automatically. Certain TCP functions also block access to security-related Web sites by filtering every address that contains certain strings. According to BitDefender, this makes it harder to remove since information about it is virtually impossible to gather from an infected computer. What's more, this worm removes all access rights of the user, except execute and directory usage, to protect its files. Skirting AV Detection Downadup skirts antivirus protection by working with rarely used APIs (application programming interfaces) to circumvent virtualization technologies. The worm also disables Windows updates and certain network traffic, optimizing Vista features to ease distribution. According to BitDefender, the Win32.Worm.Downadup.B malware comes with a domain-name-generation algorithm similar to the one found in botnets like Rustock. It composes 250 domains every day and checks some of them for updates or other files to download and install. "The situation with Downadup is not getting better," F-Secure's Koivunen said. "It's getting worse." www.vipconduit.com and www.accessible-devices.com -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.accessible-devices.com/pipermail/a-d_accessible-devices.com/attachments/20090117/46b617a5/attachment.html> This is an Announce only list. Subscribers are not able to post to this list. To unsubscribe from the Accessible Devices list copy the line below. Paste it in the To: line of a blank message and send it. a-d-unsubscribe@xxxxxxxxxxxxxxxxxxxxxx Please feel free to pass this message on to a friend who might like to subscribe. To subscribe to Accessible Devices send a blank e mail to: a-d-subscribe@xxxxxxxxxxxxxxxxxxxxxx Just follow the directions in the confirmation message when it comes. Please Note: Accessible Devices is not able to provide tech support for software or products that we supply information about.