W32.Downadup
What is W32.Downadup?
W32.Downadup is a fast-spreading worm that commonly propagates by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability. W32.Downadup will also pull other malicious files from internet and capable of disabling antivirus applications on the infected computer. It will further infect a computer by modifying Windows registry and deletes the Restore Points created by the user.
| Type | Worm |
| Sub-Type | Downloader |
| Aliases | Win32/Conficker.A, W32/Downadup.A, Conficker.A, Net-Worm.Win32.Kido.bt, WORM_DOWNAD.AP, W32/Conficker |
| OS Affected | Windows |
| Detected By | Symantec |
What W32.Downadup Does?
It will modify Windows Registry and add the following entry:
- HKEY_LOCAL_MACHINE\SYSTEM\Current ControlSet\Services\netsvcs\Parameters\”ServiceDll” = “[PathToWorm]“
The threat will create the following malicious file:
- %System%\[RANDOM FILE NAME].dll
The worm will create the service:
Name: netsvcs
ImagePath: %SystemRoot%\\system32\\svchost.exe -k netsvcs
How to Remove W32.Downadup Manually
1. Restart your computer in SafeMode
- After Power-On the computer, just before Windows start, press F8
- From the selections, Select SafeMode
2. Remove Registry entry that the threat added. You MUST BACKUP YOUR REGISTRY FIRST.
- Click Start > Run
- Type in the field, regedit
- Navigate and look for the registry entry mentioned above and delete if necessary
3. Delete malicious file that the threat added:
- Base on the given location above, browse and delete the file
- If no location is given, click Start>Search> and search for the file.
- If cannot be deleted, press Ctrl+Alt+Del to access Task Manager, see if the file is running in the process. If it is, select the file and click End Process. Perform file delete again.
Automatic Removal of W32.Downadup
1. Download and run the W32.Downadup Removal Tool by Symantec. Click here
