How to clean the WORM_DOWNAD, WORM_DOWNAD.AD and WORM_DOWNAD.KK malware

How to clean the WORM_DOWNAD, WORM_DOWNAD.AD and WORM_DOWNAD.KK malware - For Enterprise Business

Solution ID:	EN-1038611
Product:	OfficeScan - 7.3, 8.0; ServerProtect for Microsoft Windows - 5.58, 5.7; OfficeScan - 7.0
Operating System:	Windows 2000 Server - SP4; Windows Server 2003 Enterprise Edition - SP1; Windows Server 2003 Standard Edition; Windows Server 2003 Standard Edition - SP1; Windows Vista; Windows XP; Windows 2000 Advanced Server - SP4
Published:	7/26/2009 6:17 PM

Problem:

WORM_DOWNAD is capable of doing the following:

•	Connects to various time servers to determine the current date and time
•	Registers itself as a system service to ensure auto execution every startup
•	Deletes a registry key to prevent system startup in safe mode
•	Terminates security-related processes (i.e. procexp, regmon, autoruns, gmer etc.)
•	Blocks access to security and antivirus websites
•	Generates 50,000 malicious URLs and attempts to connect to around 500 random generated URLs at a time
•	Disables services such as Windows Automatic Update Service (wuauserv)
•	Causes high traffic on affected system's port 445 upon successful exploitation
•	Creates [random filename].dll and autorun.inf in all mapped drives
•	Creates [random filename].dll and autorun.inf on internet explorer and movie maker folder under program files directory
•	Hides hidden files in Folder Options
•	Attempts to connect to several URLs to download a file that indicates the location of the affected system
•	Users cannot login using their windows credentials because it is locked out

Solution:

Public

Please do the following:


OfficeScan 8.0
1.	Apply Microsoft Security Patch MS08-67.

2.	Update now to ensure that you have the latest components.
	•	Latest virus pattern file (lpt$vpn.xxx)
	•	Rootkit Common Module (RCM) 2.2 and above
	•	GeneriClean Technology
		Note: To enable GeneriClean for OfficeScan 8.0 manual scan, you need to apply Trend Micro OfficeScan 8.0 Service Pack 1 or later on your OfficeScan server.
	•	Damage Cleanup Template (DCT) 1020 and above
	•	Damage Cleanup Engine (DCE) 6.0.1172
	•	Scan engine (VSAPI) 8.911

3.	Once all the update components are up-to-date, perform a scan now from the OfficeScan server.

4.	Machines that are infected with WORM_DOWNAD require reboot to be completely cleaned.


OfficeScan 7.x
1.	Apply Microsoft Security Patch MS08-67.

2.	Update now to ensure that you have the latest components.
	•	Latest virus pattern file (lpt$vpn.xxx)
	•	GeneriClean Technology
	•	Damage Cleanup Template (DCT) 1020 and above
	•	Damage Cleanup Engine (DCE) 6.0.1172
	•	Scan engine (VSAPI) 8.9113

	Note: If you are not using VSAPI 8.913, download and install it now. For instructions, refer to this solution: Performing a manual update or rollback of the OfficeScan engine.

3.	Once all the update components are up-to-date, perform a scan now from the OfficeScan server.

4.	Machines that are infected with WORM_DOWNAD require reboot to be completely cleaned.


ServerProtect for Windows (SPNT) 5.x
1.	Apply Microsoft Security Patch MS08-67.

2.	Update now to ensure you have the latest components:
	a.	latest pattern file (lpt$vpn)
	b.	Scan engine (VSAPI) 8.9113

3.	Use the Sysclean tool to clean WORM_DOWNAD. Please contact Trend Micro Technical Support for this package.

4.	Machines that are infected with WORM_DOWNAD require reboot to be completely cleaned.


For more information, click on the following links:
	•		WORM_DOWNAD
	•		WORM_DOWNAD.AD
	•		WORM_DOWNAD.KK


You can also refer to the following file:
WORM_DOWNAD.KK: Best Practices and Security Recommendations


Additional Information:
•	Customer Information on WORM_DOWNAD.KK: Detection, Cleanup, and Prevention
•	How to restore access to Trend Micro and other security sites that have been blocked by malicious software infections

Rate this Solution
Did this article help you?	Comments:
Yes No

	This form uses an automated system and does not provide feedback.

Print This Solution