Cleaning WORM_DOWNAD using Officescan or Serverprotect

Solution ID Last Updated
1038611 Mar. 27, 2014 8:41 AM (PST)

Product / Version Platform
OfficeScan - 10.0, 10.5;ServerProtect for Microsoft Windows/Novell Netware - 5.8;
Windows - 2000 Advanced Server, 2000 Server, 2003 Enterprise Server, 2003 Standard Server Edition, 7 32-bit, 7 64-bit, Vista 32-bit, XP Professional

Problem Description

WORM_DOWNAD, WORM_DOWNAD.AD, and WORM_DOWNAD.KK malware causes the following unauthorized behavior:
  • Connects to various time servers to determine the current date and time
  • Registers itself as a system service to ensure auto execution every startup
  • Deletes a registry key to prevent system startup in safe mode
  • Terminates security-related processes (i.e. procexp, regmon, autoruns, gmer etc.)
  • Blocks access to security and antivirus websites
  • Generates 50,000 malicious URLs and attempts to connect to around 500 random generated URLs at a time
  • Disables services, such as Windows Automatic Update Service (wuauserv)
  • Causes high traffic on affected system's port 445 upon successful exploitation
  • Creates [random filename].dll and autorun.inf in all mapped drives
  • Creates [random filename].dll and autorun.inf on Internet Explorer and movie maker folder under the program files directory
  • Hides hidden files in Folder Options
  • Attempts to connect to several URLs to download a file that indicates the location of the affected system
  • Users cannot login using their windows credentials because it is locked out


OfficeScan 10 and 10.5
  1. Apply Microsoft Security Patch MS12-054.
  2. Update the Officescan server and clients with the latest components. You can use the Officescan web console to perform an update of the following:
  3. Once all the components are up-to-date, scan the clients using the OfficeScan server web console.
  4. Machines that are infected with WORM_DOWNAD require reboot to be completely cleaned. 
ServerProtect for Windows (SPNT) 5.x
  1. Apply Microsoft Security Patch MS12-054.
  2. Update the Serverprotect Information Server with the latest components and then deploy these to the Normal Servers:
    1. Virus pattern file (lpt$ Select Enterprise Pattern from the list.
    2. Scan engine
  3. Use the latest Sysclean tool to clean WORM_DOWNAD. 
  4. Machines that are infected with WORM_DOWNAD require reboot to be completely cleaned.
For the latest information on Worm_Downad, visit Trend Micro's Threat Encyclopedia.

Rate this Solution
Did this article help you?

Please provide your comments to help us improve this solution.

  *This form is an automated system. General questions, technical, sales and product-related issues submitted through this form will not be answered.

Connect with us on