Aliases: Win32/Conficker.A, W32/Downadup.A, Conficker.A, Net-Worm.Win32.Kido.bt, WORM_DOWNAD.AP
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Europe, North and South America, and some parts of Asia and Australia
Removal: Easy
Platform: W32
Discovered: 21 Nov 2008
Damage: Medium

Characteristics: W32.Downadup is considered as a standalone malicious program. It uses network and other computer resources to multiply itself on the compromised computer. The worm uses code or malware, damaging not just the network but also the system. It also hampers performance of antivirus programs. The antivirus program installed in the computer may not work properly in deleting or removing this virus. As such, implementing new security website is also blocked by this worm. It also uses Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability in propagating the network drives or local drives of your computer.

More details about W32.Downadup

Like any other worms, W32.Downadup also has the capability of creating its own service on Windows application. Thus, this worm automatically runs itself on the compromised computer every time the window starts. This worm has the ability to block network-related operation. It monitors strings and domain. This is usually introduced to the network using a USB drive activated by autorun.inf. As such, it creates an autorun.inf file on all mapped drives so that the threat automatically executes when the drive is accessed. It oversees and monitors all the drives connected to the infected computer. It automatically creates autorun.inf on all accessible drives.

This worm is also undetectable in the command prompt because it uses the platform RPC Handling Remote Code Execution. Removal is delicate. First, you may press the Start button and click on the Run option. This will start the Run tool. Then, type in taskmgrand and press OK. Then, type in "dir /A name_of_the_folder" (for example, C:\Spyware-folder), which will display the folder's content even the hidden files. You must change the directory. To do this, you may need to type in "cd name_of_the_folder". Then, you may now browse for all infected file. Once you have the file you're looking for, type in "del name_of_the_file". This command will delete a file in the folder. If you wish to delete the whole folder, type in "rmdir /S name_of_the_folder". You must kill all the processes as well. Check all the list of files actively running and find all the .exe files. Right click on the file and choose “end process.” A box will appear and you need to choose yes. When you are in the task manager, select the "W32.Downadup" process and click on the "End Process" button to kill it. Make sure to remove all "W32.Downadup" processes.