View Full Version : Updated Variant of the Downadup Worm Identified - BUCHAREST, Romania – April 7, 2009

12th April 2009, 13:36
Remove Conficker from infected computers.

Conficker (or Downadup) is a network worm that takes advantage of vulnerabilities in Windows to spread. Its removal is complicated by the fact that it blocks many known antivirus software and associated websites.

BitDefender Labs has detected a new and more aggressive Conficker version. It spreads using a Windows RPC Server Service vulnerability and is called Win32.Worm.Downadup.Gen.

The new version is more resilient to disinfection. Once the system is compromised, the worm disables Windows Update and blocks access to most of the anti-virus websites in order to hinder the user to disinfect his machine.<br><br>

BitDefender is the first to offer a free tool which disinfects all versions of Downadup. This domain is the first to serve a removal tool without being blocked by the e-threat.

The worm itself is not new, it made its first appearance late November 2008, known under the names Conficker or Kido as well exploiting the vulnerability described in the Microsoft security bulletin MS08-067 (http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx). After successful exploitation it used to install rogue security software on the infected machine.

Download and run the tools provided below to rid your computer or newtork of this e-threat.

{colsp=2} Removes Downadup from a single PC

http://www.disinfecttools.com/media/images/download_icon.jpg | How to remove (http://www.disinfecttools.com/how-to-remove-downadup.php)
Download Now (http://www.disinfecttools.com/download/dcleaner.zip) (.zip - 2.2MB)

Updated Variant of the Downadup Worm Identified in the Wild.
BUCHAREST, Romania – April 7, 2009 – Bitdefender researchers in the Antimalware Labs have identified a new variant of the Downadup / Conficker worm, able to circumvent detection and disinfection using the removal tools created for its previous versions.

In addition to blocking access to any website of antivirus vendors, as well as third-parties offering online scanning services or removal tools, the malicious binary has been updated to refuse users access to http://bdtools.net, BitDefender’s online repository for distributing disinfection and removal tools.
The updated disinfection tools are now available online at www.disinfecttools.com, a domain that is not currently blacklisted on the compromised machines.

"Since the new variant blocks bdtools.net the new recommended domain name is www.disinfecttools.com ( from our preliminary analysis this is not blocked by the malware ),” said Viorel Canja, head of the BitDefender Labs.

All the BitDefender 2009 products detect the worm as Win32.Worm.Downadup.Gen and stop its execution before it is able to perform changes on the system. In order to stay safe while surfing the Web, BitDefender recommends that you install a complete and up-to-date anti-malware software solution.