Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: A Worm Triggering Autolock - Another Sighting of W32.Downadup? - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
A Worm Triggering Autolock - Another Sighting of W32.Downadup?

An ISC reader asked us about reports of malware that's locking user accounts. According to several media reports (1, 2), a "virus" has affected computers of the Vancouver School Board (VSB) on January 7. The most noticeable effects of the infection were user accounts getting locked. The district's staff were told not to turn their computers to curtail the spread of the malware.

VSB seems to consider the worm a simple nuisance. However, the observed lockouts might be a side effect of an infection capable of other threats. A worm might inadvertently an auto-lockout defense when attempting to brute-force passwords. That might be the reason for the denial of service condition observed by VSB.

Though we received no other reports of this infection, its effects are reminiscent of the W32.Downadup worm we described in a December 31 diary. The worm spread by exploiting the RPC vulnerability (MS08-067). It also attempted to brute-force user passwords when connecting to the ADMIN$ share of systems on the local network. However, we have no additional information about the VSB incident, so we cannot confirm whether VSB's infection is, indeed, tied to W32.Downadup.

-- Lenny

Lenny Zeltser
Security Consulting - Savvis, Inc.

Lenny teaches a SANS course on analyzing malware.


216 Posts
Jan 9th 2009
We have indeed seen a number of of newer Win32.Downadup issues over the past 3 weeks. We have submitted to Symantec for review. It looks like it might be a newer variant. We are finding that is attempting to install itself as a service generally with a 6 or 7 character name which seems to be random. Removal is pretty straight forward generally you can find the offending service in HKLMSystemCurrentControlSetServices'random service name' the offending file can be found in the image path value in the sub-keys. We have seen it as both a dll and an exe file. You will generally find the same entries in the currentcontrolset001 - 003. The second set of entries are located in the HKLMSystemCurrentControlSetEnumRootLEGACY_'random service name' check for image paths here also. Once again these can be found in the CurrentControlSet001-003 keys. You will need to regedt32 and give yourself permissions on the LEGACY_blah keys to delete them.

We found that Symantec was able to detect the offending file if you set the service to manual and restart the box and start the service manually (please don't do this on your production network while connected!) Symantec will catch the file. But it will not catch it on a normal machine restart.



Sign Up for Free or Log In to start participating in the conversation!