Cleaning WORM_DOWNAD malware with OfficeScan or ServerProtect

Problem Description

WORM_DOWNAD causes the following unauthorized behavior:

Connects to various time servers to determine the current date and time
Registers itself as a system service to ensure auto execution every startup
Deletes a registry key to prevent system startup in safe mode
Terminates security-related processes (i.e. procexp, regmon, autoruns, gmer etc.)
Blocks access to security and antivirus websites
Generates 50,000 malicious URLs and attempts to connect to around 500 random generated URLs at a time
Disables services, such as Windows Automatic Update Service (wuauserv)
Causes high traffic on affected system's port 445 upon successful exploitation
Creates [random filename].dll and autorun.inf in all mapped drives
Creates [random filename].dll and autorun.inf on Internet Explorer and movie maker folder under the program files directory
Hides hidden files in Folder Options
Attempts to connect to several URLs to download a file that indicates the location of the affected system
Users cannot login using their windows credentials because it is locked out

Please do the following:

OfficeScan 8.0 and 10/10.5

Apply Microsoft Security Patch MS08-67.
Update now to ensure that you have the latest components.
- Latest virus pattern file (lpt$vpn.xxx)
- Rootkit Common Module (RCM) 2.2 and above
- GeneriClean Technology
- Note: To enable GeneriClean for OfficeScan 8.0 manual scan, you need to apply Trend Micro OfficeScan 8.0 Service Pack 1 or later on your OfficeScan server.
- To enabled GeneriClean for OfficeScan 10, follow the procedure in this Knowledge Base article: Configuring OfficeScan 10.x for generic detection
- Damage Cleanup Template (DCT) 1020 and above
- Damage Cleanup Engine (DCE) 6.0.1172
- Scan engine (VSAPI) 8.911
Once all the update components are up-to-date, perform a scan now from the OfficeScan server.
Machines that are infected with WORM_DOWNAD require reboot to be completely cleaned.

OfficeScan 7.x

Apply Microsoft Security Patch MS08-67.
- Update now to ensure that you have the latest components.
- Latest virus pattern file (lpt$vpn.xxx)
- GeneriClean Technology
- Damage Cleanup Template (DCT) 1020 and above
- Damage Cleanup Engine (DCE) 6.0.1172
- Scan engine (VSAPI) 8.9113
  
  Note: If you are not using VSAPI 8.913, download and install it now. For instructions, refer to this solution: Performing a manual update or rollback of the OfficeScan engine.
Once all the update components are up-to-date, perform a scan now from the OfficeScan server.
Machines that are infected with WORM_DOWNAD require reboot to be completely cleaned.

ServerProtect for Windows (SPNT) 5.x

Apply Microsoft Security Patch MS08-67.
Update now to ensure you have the latest components:
1. latest pattern file (lpt$vpn)
2. Scan engine (VSAPI) 8.9113
Use the Sysclean tool to clean WORM_DOWNAD. Please contact Trend Micro Technical Support for this package.
Machines that are infected with WORM_DOWNAD require reboot to be completely cleaned.

For more information, click on the following links:

You can also refer to the following file:

Solution ID	Last Updated
1038611	Date : 2012/01/17 Time: 9:53 PM (PST)

Product/Version	Platform
OfficeScan - 10.0, 10.5, 8.0; ServerProtect for Microsoft Windows/Novell Netware - 5.7	Windows - 2000 Advanced Server, 2000 Server, 2003 Enterprise Server, 2003 Standard Server Edition, 7 32-bit, 7 64-bit, Vista 32-bit, XP Professional

Rate this Solution
Did this article help you? Yes No	What was the problem with this solution? Required The video did not play properly. The image(s) in the solution article did not display properly. The solution did not provide detailed procedure. The solution is hard to understand and follow. The solution did not resolve my issue. Others. Please specify. Please provide your comments to help us improve this solution. Required

	*This form is an automated system. General questions, technical, sales and product-related issues submitted through this form will not be answered.


Business Knowledge Base All Support
Advanced Search \| View Search Tips