NEW WORM_DOWNAD.E/Conficker Variant


This is a pro-active notification that Trend Micro received a new sample of DOWNAD and named it as WORM_DOWNAD.E Trend Micro has flagged this worm as noteworthy due to the increased potential for damage, and propagation. Including its ability to propagate via the Server service vulnerability.

Please visit Trend Micro’s DOWNAD Information page for the latest information:

This worm may be downloaded unknowingly by a user when visiting malicious Web sites.

This worm executes only after meeting any of the following trigger condition:
Any day before May 3, 2009

Propagation Routine
This worm propagates by taking advantage of a vulnerability discovered in certain Microsoft operating systems that could allow remote code execution if an affected system received a specially crafted RPC request, which also contains a shellcode.

This worm also attempts to propagate via the same vulnerability through the internet using external IP addresses by checking if the system is directly connected to the internet.

Other Details
This worm creates the temporary file in %System%/0{Random}.tmp which is a SYS file and is detected by Trend Micro as TROJ_DOWNAD.E. It then creates a service using this temporary file, thus the malicious routines of this malware are also exhibited in the system. After creating the service, the temporary file is deleted.

It then patches %System%\drivers\tcpip.sys in memory to modify the limitation of TCP maximum half-connection attempts number. After doing this, the created driver service is unloaded and deleted, leaving no trace in the registry.

It creates a thread that opens a random port to communicate with a remote computer. This worm also creates the following mutex “Global\{Random}” to ensure that only one instance of itself is running in memory:


Trend Micro Solutions
·VSAPI Pattern - Since OPR 5.953.00
·Intellitrap pattern - detected as PAK_Generic.001
·Damage Cleanup Template - DCT OPR 1026

DOWNAD/Conficker Best Practices
1. Patch Windows systems with the MS08-067
2. Verify OfficeScan Client Edition is up to date and proper sttings
3. Follow recommended solutions and protection