Thursday, December 11, 2008

W32.Downadup

W32.Downadup is a worm exploit using server service RPC in Windows OS. It is exploiting the update MS008-067.
SYMPTOMS
*. Internet Explorer Displays "Page cannot be displayed message" after 3-4 minutes of loading page and further the message remains until next restart. same is repeated.
*. Mozilla Firefox gives you a blank page.
*. Network PCs ping normally, but share drives are not available sometimes.
*. There will be a 'WWW' exception in windows firewall with a unique port number.
*. No suspicious processes running on task manager.
*. No relevent startup entries in 'msconfig'.
*. On command prompt when giving "netstat -aon" command, lot of activity is detected on port no.445 and 139 with unknown IP addresses(SYN_SENT).

SOLUTION
Run Symantec Antivirus with latest update (20081210-009-x86.exe). Run a complete scan of the system. This should detect W32.Downadup as espceao[1].jpg. There may be more entries in System32 folder named 'tsozzqlj.dll' & 'kmqohj[2].dll.




(Click the picture to view complete image)
The virus/worm will be quarantined. Let the scan complete.
Now Go to control panel, open Firewall, click on exceptions tab, look for an entry called 'WWW'. If it is there delete it.
Restart your system. That should kill the problem.
If the above worms are not detected, you may boot into safe mode and run virus scan. Otherwise you may remove the files manually also.

cool hit counters
download an html hit counter

Add to Technorati Favorites