Discovered: December 30, 2008 Updated: March 24, 2009 12:05:35 PM Also Known As: Worm:W32/Downadup.AL [F-Secure], Win32/Conficker.

B [Computer Associates], W32/Confick-D [Sophos], WORM_DOWNAD.AD [Trend], NetWorm.Win32.Kido.ih [Kaspersky], Conficker.D [Panda Software] Type: Worm Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000 CVE References: CVE-2008-4250 W32.Downadup.B is a worm that spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874). It also attempts to spread to network shares protected by weak passwords and block access to security-related Web sites.

Note: For more information, please see the following resource: W32.Downadup

Antivirus Protection Dates

Initial Rapid Release version December 30, 2008 revision 021 Latest Rapid Release version December 27, 2011 revision 007 Initial Daily Certified version December 30, 2008 revision 024 Latest Daily Certified version December 27, 2011 revision 017 Initial Weekly Certified release date December 31, 2008 Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

x x x x x

December 30, 2008 Updated: March 24, 2009 12:05:35 PM Also Known As: Worm:W32/Downadup.AL [F-Secure], Win32/Conficker.B [Computer Associates], W32/Confick-D [Sophos], WORM_DOWNAD.AD [Trend], NetWorm.Win32.Kido.ih [Kaspersky], Conficker.D [Panda Software] Type: Worm Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000 CVE References: CVE-2008-4250 Once executed, the worm checks for the presence of the following registry entries and if not present will create them: x HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Appl ets\"dl" = "0" x HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Applets\"dl" = "0" x HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Appl ets\"ds" = "0" x HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Applets\"ds" = "0"

Threat Assessment

Wild

x x x x x x

It then copies itself as one or more of the following files: x %ProgramFiles%\Internet Explorer\[RANDOM FILE NAME].dll x %ProgramFiles%\Movie Maker\[RANDOM FILE NAME].dll x %System%\[RANDOM FILE NAME].dll x %Temp%\[RANDOM FILE NAME].dll x C:\Documents and Settings\All Users\Application Data \[RANDOM FILE NAME].dll

It creates a new service with the following characteristics: Service Name: [PATH TO WORM] Display Name: [WORM GENERATED SERVICE NAME] Startup Type: Automatic Next, it registers as a service by creating the following registry entries: x HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\Parameters\"ServiceDll" = "[PATH TO WORM]" x HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs x HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\"Type" = "4"

Wild Level: Medium Number of Infections: 1000+ Number of Sites: 10+ Geographical Distribution: Medium Threat Containment: Moderate Removal: Moderate Damage x Damage Level: Medium x Modifies Files: Modifies the tcpip.sys file. Distribution x Distribution Level: Medium x Shared Drives: Attempts to spread to network shares protected by weak passwords. x Target of Infection: Spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874) Writeup By: Sean Kiernan ///////////// Discovered:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\"Start" = "4" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\"ErrorControl" = "4"

The worm then modifies the following file in order to disable the half-open connections limit introduced with Windows XP SP2: %System%\drivers\tcpip.sys It also attempts to hide itself on the system by modifying the following registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explor er\Advanced\Folder\Hidden\SHOWALL\"CheckedValue" = "0"

Note: [WORM GENERATED SERVICE NAME] represents a two word combination taken from a list of the following words: x Boot x Center x Config x Driver x Helper x Image x Installer x Manager x Microsoft x Monitor x Network x Security x Server x Shell x Support x System x Task x Time x Universal x Update x Windows

The worm creates the following registry entry, so that it runs every time Windows starts: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RAN DOM NAME]" = "rundll32.exe "[RANDOM FILE NAME].dll", ydmmgvos"

Next, the worm deletes any System Restore points created by the user.

The worm then runs a command that speeds up network access on the compromised computer by disabling the Windows Vista TCP/IP auto-tuning to spread more rapidly.

The worm also modifies the following registry entry so that the worm spreads more rapidly across a network: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\" TcpNumConnections" = "00FFFFFE"

Next the worm stops both of the following Windows services: x Background Intelligent Transfer Service (BITS) x Windows Automatic Update Service (wuauserv)

Next, the worm enumerates available ADMIN$ network shares. It then enumerates the users for those shares and attempts to establish a connection as an existing user, with one of the following passwords: x 000 x 0000 x 00000 x 0000000 x 00000000 x 0987654321 x 111 x 1111 x 11111 x 111111 x 1111111 x 11111111 x 123 x 123123 x 12321 x 123321 x 1234 x 12345 x 123456 x 1234567 x 12345678 x 123456789 x 1234567890 x 1234abcd x 1234qwer x 123abc x 123asd x 123qwe x 1q2w3e x 222 x 2222 x 22222 x 222222 x 2222222 x 22222222 x 321 x 333

x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x

3333 33333 333333 3333333 33333333 4321 444 4444 44444 444444 4444444 44444444 54321 555 5555 55555 555555 5555555 55555555 654321 666 6666 66666 666666 6666666 66666666 7654321 777 7777 77777 777777 7777777 77777777 87654321 888 8888 88888 888888 8888888 88888888 987654321 999 9999 99999 999999 9999999 99999999 a1b2c3 aaa aaaa

x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x

aaaaa abc123 academia access account Admin admin admin1 admin12 admin123 adminadmin administrator anything asddsa asdfgh asdsa asdzxc backup boss123 business campus changeme cluster codename codeword coffee computer controller cookie customer database default desktop domain example exchange explorer file files foo foobar foofoo forever freedom fuck games home home123 ihavenopass Internet

x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x

root root123 rootroot sample secret secure security server shadow share sql student super superuser supervisor system temp temp123 temporary temptemp test test123 testtest unknown web windows work work123 xxx xxxx xxxxx zxccxz zxcvb zxcvbn zxcxz zzz zzzz zzzzz

Note: Depending on the account lockout settings, multiple authentication attempts by the worm may result in those accounts becoming locked out. If successful, the worm copies itself to the share as the following file: [SHARE NAME]\ADMIN$\System32\[RANDOM FILE NAME].dll It then creates a scheduled job on the remote server to run daily consisting of the following command: "rundll32.exe [RANDOM FILE NAME].dll, [RANDOM PARAMETER STRING]"

x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x

internet intranet job killer letitbe letmein login Login lotus love123 manager market money monitor mypass mypassword mypc123 nimda nobody nopass nopassword nothing office oracle owner pass pass1 pass12 pass123 passwd password Password password1 password12 password123 private public pw123 q1w2e3 qazwsx qazwsxedc qqq qqqq qqqqq qwe123 qweasd qweasdzxc qweewq qwerty qwewq

Next, the worm connects to the following URLs to obtain the IP address of the compromised computer: x [http://]www.getmyip.org x [http://]www.whatsmyipaddress.com x [http://]getmyip.co.uk x [http://]checkip.dyndns.org

The worm creates a firewall rule on the local network gateway device that allows remote attackers to connect to and download from the compromised computer's external IP address through a random port.

The worm then creates an HTTP server on the compromised computer on a random port in the following format: http://[COMPROMISED COMPUTER EXTERNAL IP ADDRESS]:[RANDOM PORT]

It then sends this URL to remote computers.

The worm then attempts to spread by exploiting the following vulnerability so that remote computers will connect to the above named URL and download the worm: Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874)

The worm then attempts to copy itself to any accessible mapped drive as the following file: %DriveLetter%\RECYCLER\S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d%d\[RANDOM FILE NAME].dll

The worm also attempts to create the following file on any accessible mapped drive so that it executes whenever the drive is accessed: %DriveLetter%\autorun.inf

It also monitors the compromised computer for any additional new drives and then attempts to infect any newly added drives in the same way.

The worm hooks a number of Windows API calls in order to spread and to make removal more difficult.

The worm also hooks the NetpwPathCanonicalize API and when it is called, it checks the length of PathName in order to avoid exploiting the vulnerability further. If the PathName contains a signature the worm originally has, the PathName may contain an encrypted URL as well from which the worm may download a file and execute it.

The worm patches the following API's in memory: x DNS_Query_A x DNS_Query_UTF8 x DNS_Query_W x Query_Main x sendto

The worm monitors DNS requests to domains containing any of the following strings and blocks access to these domains so that it appears that the network request timed out: x ahnlab x arcabit x avast x avg. x avira x avp. x bit9. x ca. x castlecops x centralcommand x cert. x clamav x comodo x computerassociates x cpsecure x defender x drweb x emsisoft x esafe x eset x etrust x ewido x f-prot x f-secure x fortinet x gdata x grisoft x hacksoft x hauri x ikarus x jotti x k7computing x kaspersky x malware x mcafee x microsoft x nai. x networkassociates x nod32 x norman x norton x panda x pctools x prevx x quickheal x rising

x x x x x x x x x x x x x x

rootkit sans. securecomputing sophos spamhaus spyware sunbelt symantec threatexpert trendmicro vet. virus wilderssecurity windowsupdate

It contacts one of the following sites to get the current date: x baidu.com x google.com x yahoo.com x msn.com x ask.com x w3.org x aol.com x cnn.com x ebay.com x msn.com x myspace.com

It then checks to see whether the date on the compromised computer is on or after January 1, 2009.

The worm will then generate a list of domain names based upon this date in the following format: [GENERATED DOMAIN NAME].[TOP LEVEL DOMAIN]

Note: [TOP LEVEL DOMAIN] represents the following top level domains: x .biz x .info x .org x .net x .com x .ws x .cn x .cc

Note: [GENERATED DOMAIN NAME] represents the domain names created by the

worm such as the following example list of domain names generated for January 1, 2009: x aaidhe.net x aamkn.cn x abivbwbea.info x aiiflkgcw.cc x alfglesj.info x amcfussyags.net x amzohx.ws x apaix.ws x argvss.info x arolseqnu.ws x asoidakm.cn x atnsoiuf.cc x avweqdcr.cn x axaxmhzndcq.cc x barhkuuu.com x bbuftxpskw.cc x bdykhlnhak.cc x bdzpfiu.biz x bijkyilaugs.cn x bjpmhuk.ws x bmmjbsjidmt.com x bzagbiwes.cc x carse.cn x cauksxf.biz x cfhlglxofyz.biz x cinsns.cc x ciynbjwm.com x cljivsb.biz x cpeadyepcis.biz x cqnxku.ws x ctmchiae.ws x cxjsy.net x czkdu.net x dbffky.cn x dgbdjsb.com x drpifjfxlyl.ws x dtosuhc.org x duahpzq.org x dwrtwgsm.cn x dyjomzyz.com x earuldx.cn x egqoab.net x egxbsppn.cn x ehkvku.cn x elivvks.net x emxmg.info x eobvidij.org x erwojl.org

x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x

evqvmwgw.cn ewioygq.biz exxkvcz.cc ffaqk.info fhlwov.net fitjg.net fkhbumne.info fknacmvowib.cn fmdsqasqm.net fmgcjv.cn fpljpuqp.info fsrljjeemkr.info fthil.cc ftphtsfuv.net gbgklrka.cc gbmkghqcqy.net gbxyu.ws gezjwr.biz gjbwolesl.info glkzckadwu.biz gmvhjp.ws gsvrglz.cc gutvjbektzq.com gwtqx.cn hbyzvpeadkb.net hewdw.ws hjcxnhtroh.cn hltowx.com hqjazhyd.com hrmirvid.com hudphigb.org hvagbqmtxp.info idvgqlr.ws ihnvoeprql.biz iidqkzselpr.com ijthszjlb.com iklzskqoz.cn iqgnqt.org iqrzamxo.ws isjjlnv.org iudqzypn.cn iyfcmcaj.cn jayrocykoj.ws jffhkvhweds.cn jfxcvnnawk.org jgrftgunh.org jguxjs.net jhanljqti.cc jhvlfdoiyn.biz jjhajbfcdmk.net

x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x

jkisptknsov.biz jknxcxyg.net jlouqrgb.org jpppffeywn.cc jradvwa.biz juqsiucfrmi.net jvnzbsyhv.org jxnyyjyo.net kaonwzkc.info kdcqtamjhdx.ws kgeoaxznfms.biz kihbccvqrz.net kimonrvh.org kjsxwpq.ws kkrxwcjusgu.cn knqwdcgow.ws koaqe.cc kodzhq.org kqjvmbst.net kufvkkdtpf.net kxujboszjnz.ws lagcrxz.cc lawwb.com lbdfwrbz.net ljizrzxu.cc lmswntmc.biz lotvecu.com lplsebah.cn lxhmwparzc.ws lyamwnhh.info mciuomjrsmn.cn mdntwxhj.cn meqyeyggu.cc mfigu.cn mimdezm.biz mkdsine.cn mmtdsgwfa.net mouvmlhz.cc mozsj.biz mpqzwlsx.ws msvhmlcmkmh.biz mtruba.ws myrmifyuqo.biz naucgxjtu.ws ncwjlti.cn nertthl.net nnxqqmdl.info nuxtzd.cn nxvmztmryie.ws nybxvgb.net

x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x

nzsrgzmhay.net oadscrk.org oezepyh.info ojrswlg.net olgjkxih.org omqxqptc.ws ooudifyw.cn opkawiqb.cn oqsfz.ws orvfkx.cc otoajxfn.net oxeeuikd.net oyezli.com pfath.info plsexbnytn.com poplie.cc psbdfflh.cn qfmbqxom.ws qjvtczqu.com qpcizvlvio.biz qslhoks.cn qtcnfvf.biz qtsnk.cn qzktamrsgu.cn rbhixtifxk.cc rccoq.net rgievita.ws rlrbqpxv.org rozhtnmoudg.cc rpsctacalyd.cn rrmkv.com rtpuqxp.net rtztoupc.net satmxnz.ws sbtalilx.com sdjnaeoh.cc sirkqq.org sjkkfjcx.biz sjkxyjqsx.net stmsoxiguz.net tdeghkjm.biz tkhnvhmh.biz tmdoxfcc.org torhobdfzit.cc trdfcxclp.org tscmbj.net tuwcuuuj.com txeixqeh.biz uazwqaxlpq.info ubxxtnzdbij.com

x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x

ucnfehj.org uekmqqedtfm.com uhtmou.ws uhveiguagm.biz uoieg.ws uttcx.net uyhgoiwswn.cc uyvtuutxm.cn vfxifizf.info vupnwmw.biz vzqpqlpk.ws waeqoxlrprp.org wdrvyudhg.cc wediscbpi.org whgtdhqg.net wkstxvzr.org wmrgzac.info wnwqphzao.info wsajx.com wskzbakqfvk.org wtngipaynh.info wumvjpbbmse.cc wuzunxevor.info wwftlwlvm.org xcncp.info xeeuat.com xhazhbir.biz xjnyfwt.org xlrqvoqmsxz.info xqgbn.cn xwrrxwmo.cc xxabrkhb.cc xxmgkcw.cc xxxxgvtaa.com xzoycphicpk.com ybbfrznr.info ycceqdmm.cc ydxnochqn.org ygmwharv.info ylnytttckyc.com yuvudlsdop.cc ywhaunsyez.cc ywxdggnaaad.org zindtsqq.ws zkywmqx.com zoosmv.info zqekqyq.cn zqked.org zsatn.ws ztgsd.info

x x

ztioydng.com zzczpujz.biz

The worm then contacts the following remote location based on the domain names generated: http://[GENERATED DOMAIN NAME].[TOP LEVEL DOMAIN]/search?q=%d

It will then download an updated copy of itself from the above remote location.

The worm may also receive and execute files through a peer-to-peer mechanism by communicating with other compromised computers. These files would need to be seeded into the network of worms by the malware author.

Recommendations

scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched. x If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources. x For further information on the terms used in this document, please refer to the Security Response glossary. Writeup By: Sean Kiernan ////////// Discovered: December 30, 2008 Updated: March 24, 2009 12:05:35 PM Also Known As: Worm:W32/Downadup.AL [F-Secure], Win32/Conficker.B [Computer Associates], W32/Confick-D [Sophos], WORM_DOWNAD.AD [Trend], NetWorm.Win32.Kido.ih [Kaspersky], Conficker.D [Panda Software] Type: Worm Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000 CVE References: CVE-2008-4250 You may have arrived at this page either because you have been alerted by your Symantec product about this risk, or you are concerned that your computer has been affected by this risk. Before proceeding further we recommend that you run a full system scan. If that does not resolve the problem you can try one of the options available below.

FOR NORTON USERS If you are a Norton product user, we recommend you try the following resources to remove this risk. Removal Tool x Run Norton Power Eraser (NPE) x Norton Power Eraser did not remove this risk If you have an infected Windows system file, you may need to replace them using from the Windows installation CD.

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices": x Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world. x Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised. x Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application. x Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available. x Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared. x Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack. x If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied. x Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services. x Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files. x Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media. x Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been How to reduce the risk of infection

The following resources provide further information and best practices to help reduce the risk of infection. x Operating system updates to fix vulnerabilities x File sharing protection x Disable Autorun (CD/USB) x Best practices for instant messaging x Best practices for browsing the Web x Best practices for email

Many risks make modifications to the registry, which could impact the functionality or performance of the compromised computer. While many of these modifications can be restored through various Windows components, it may be necessary to edit the registry. See in the Technical Details of this writeup for information about which registry keys were created or modified. Delete registry subkeys and entries created by the risk and return all modified registry entries to their previous values. Writeup By: Sean Kiernan

FOR BUSINESS USERS If you are a Symantec business product user, we recommend you try the following resources to remove this risk.

Identifying and submitting suspect files Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec. x Locate a sample of a threat x Submit a suspicious file to Symantec

////////// Discovered: January 13, 2009 Type: Removal Information This tool is designed to remove the infections of: x W32.Downadup x W32.Downadup.B x W32.Downadup.C

Removal Tool x Run the Symantec Power Eraser with the Symantec Endpoint Protection Support Tool x Symantec Power Eraser Overview x Symantec Power Eraser User Guide

Important: x If you are on a network or have a full-time connection to the Internet, such as a DSL or cable modem, disconnect the computer from the network and Internet. Disable or password-protect file sharing, or set the shared files to Read Only, before reconnecting the computers to the network or to the Internet. Because this worm spreads by using shared folders on networked computers, to ensure that the worm does not reinfect the computer after it has been removed, Symantec suggests sharing with Read Only access or by using password protection. For instructions on how to do this, refer to your Windows documentation, or the document: How to configure shared Windows folders for maximum network protection. For further information on the vulnerability and patches to resolve it please refer to the following document: Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability
x

If you have an infected Windows system file, you may need to replace them using from the Windows installation CD.

How to reduce the risk of infection The following resource provides further information and best practices to help reduce the risk of infection. Protecting your business network

MANUAL REMOVAL The following instructions pertain to all current Symantec antivirus products.

If you are removing an infection from a network, first make sure that all the shares are disabled or set to Read Only. x This tool is not designed to run on Novell NetWare servers. To remove this threat from a NetWare server, first make sure that you have the current virus definitions, and then run a full system scan with the Symantec antivirus product. How to download and run the tool Important: You must have administrative rights to run this tool on Windows NT 4.0, Windows 2000, or Windows XP. Note for network administrators: If you are running MS Exchange 2000 Server, we recommend that you exclude the M drive from the scan by running the tool from a

1. Performing a full system scan How to run a full system scan using your Symantec product

2. Restoring settings in the registry

command line, with the Exclude switch. For more information, read the Microsoft knowledge base article: XADM: Do Not Back Up or Scan Exchange 2000 Drive M (Article 298924).

x x

Follow these steps to download and run the tool: 1. Download the D.exe file from: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/D. exe. 2. Save the file to a convenient location, such as your Windows desktop. 3. Optional: To check the authenticity of the digital signature, refer to the "Digital signature" section later in this writeup.

Note: If you are sure that you are downloading this tool from the Security Response Web site, you can skip this step. If you are not sure, or are a network administrator and need to authenticate the files before deployment, follow the steps in the "Digital signature" section before proceeding with step 4. 4. Close all the running programs. 5. If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet. 6. If you are running Windows Me or XP, turn off System Restore. For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:

How to disable or enable Windows Me System Restore

How to turn off or turn on Windows XP System Restore 7. Locate the file that you just downloaded. 8. Double-click the D.exe file to start the removal tool. 9. Click Start to begin the process, and then allow the tool to run.

Deletes the associated files Deletes the registry values added by the threat Switches The following switches are designed for use by network administrators: /HELP, /H, /? Displays the help message. /NOFIXREG Disables the registry repair (We do not recommend using this switch). /SILENT, /S Enables the silent mode. /LOG=[PATH NAME] Creates a log file where [PATH NAME] is the location in which to store the tool's output. By default, this switch creates the log file, FixDwndp.log, in the same folder from which the removal tool was executed. /MAPPED Scans the mapped network drives. (We do not recommend using this switch. See the following Note.) /START Forces the tool to immediately start scanning. /EXCLUDE=[PATH] Excludes the specified [PATH] from scanning. (We do not recommend using this switch. See the following Note.) /NOCANCEL Disables the cancel feature of the removal tool. /NOFILESCAN Prevents the scanning of the file system. /NOVULNCHECK Disables checking for unpatched files. Important: Using the /MAPPED switch does not ensure the complete removal of the virus on the remote computer, because: x The scanning of mapped drives scans only the mapped folders. This may not include all the folders on the remote computer, which can lead to missed detections. x If a viral file is detected on the mapped drive, the removal will fail if a program on the remote computer uses this file. Therefore, you should run the tool on every computer. The /EXCLUDE switch will only work with one path, not multiple. An alternative is the /NOFILESCAN switch followed by a manual scan with AntiVirus. This will let the tool alter the registry. Then, scan the computer with AntiVirus with current virus definitions. With these steps, you should be able to clean the file system. The following is an example command line that can be used to exclude a single drive: "C:\Documents and Settings\user1\Desktop\D.exe" /EXCLUDE=M:\ /LOG=c:\FixDwndp.txt Alternatively, the command line below will skip scanning the file system, but will repair the registry modifications. Then, run a regular scan of the system with proper

NOTE: If you have any problems when you run the tool, or it does nor appear to remove the threat, restart the computer in Safe mode and run the tool again. 10. Restart the computer. 11. Run the removal tool again to ensure that the system is clean. 12. If you are running Windows Me/XP, then reenable System Restore. 13. If you are on a network or if you have a full-time connection to the Internet, reconnect the computer to the network or to the Internet connection. 14. Run LiveUpdate to make sure that you are using the most current virus definitions.

When the tool has finished running, you will see a message indicating whether the threat has infected the computer. The tool displays results similar to the following: x Total number of the scanned files x Number of deleted files x Number of repaired files x Number of terminated viral processes x Number of fixed registry entries What the tool does The Removal Tool does the following: x Terminates the associated processes

exclusions: Name: Symantec Corporation Signing Time: 05/02/2009 08:25:37 AM All other operating systems: You should see the following message:

Verify the contents of the following fields to ensure that the tool is authentic:

"C:\Documents and Settings\user1\Desktop\D.exe" /NOFILESCAN /LOG=c:\FixDwndp.txt

Note: You can give the log file any name and save it to any location.

Digital signature For security purposes, the removal tool is digitally signed. Symantec recommends that you use only copies of the removal tool that have been directly downloaded from the Symantec Security Response Web site.

Do you want to install and run "D.exe" signed on May 2, 2009 8:25:37 AM and distributed by Symantec Corporation? Notes: The date and time in the digital signature above are based on Pacific time. They will be adjusted your computer's time zone and Regional Options settings. If you are using Daylight Saving time, the displayed time will be exactly one hour earlier. If this dialog box does not appear, there are two possible reasons: The tool is not from Symantec: Unless you are sure that the tool is legitimate and that you downloaded it from the legitimate Symantec Web site, you should not run it.

If you are not sure, or are a network administrator and need to authenticate files before deployment, you should check the authenticity of the digital signature.

Follow these steps: 1. Go to http://www.wmsoftware.com/free.htm. 2. Download and save the Chktrust.exe file to the same folder in which you saved the removal tool.

Note: Most of the following steps are done at a command prompt. If you downloaded the removal tool to the Windows desktop, it will be easier if you first move the tool to the root of the C drive. Then save the Chktrust.exe file to the root of C as well.

(Step 3 to assume that both the removal tool and Chktrust.exe are in the root of the C drive.) 3. Click Start > Run. 4. Type one of the following:

The tool is from Symantec and is legitimate: However, your operating system was previously instructed to always trust content from Symantec. For information on this and on how to view the confirmation dialog again, read the document: How to restore the Publisher Authenticity confirmation dialog box. 8. Click Yes or Run to close the dialog box. 9. Type exit, and then press Enter. (This will close the MS-DOS session.)

Windows 95/98/Me: command

Windows NT/2000/XP: cmd 5. Click OK. 6. In the command window, type the following, pressing Enter after typing each line:

cd\ cd downloads chktrust -i D.exe 7. You should see one of the following messages, depending on your operating system:

Windows XP SP2: The Trust Validation Utility window will appear.

Under Publisher, click the Symantec Corporation link. The Digital Signature Details appears.