A computer virus is believed to be activated on April Fool's Day. While kids are planning to play on prank on one anther on April Fool's day, hackers are also waiting to activate the WORM_DOWNAD.KK malware, which believed to have infected more than 15million computers! The clock is ticking...
-
Worm_downad had infected more than 15 million computers, making it one of the widespread infections in recent times.
A new variant of worm_downad (aka Conficker) is expected to be launched on April Fool’s day.
Trend Micro detects this new variant as worm_downad.kk. More information can be found at http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DOWNAD.KK&VSect=T. Trend Micro detects this malware starting with pattern file 5.885.00.
A new variant of worm_downad (aka Conficker) is expected to be launched on April Fool’s day.
Trend Micro detects this new variant as worm_downad.kk. More information can be found at http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DOWNAD.KK&VSect=T. Trend Micro detects this malware starting with pattern file 5.885.00.
Compared to the old variants, worm_downad.kk is more sophisticated. Here are a few of the payloads :
- Connects to various time servers to determine the current date and time.
- Register itself as a system service to ensure auto execution every startup.
- Deletes a registry key to prevent system startup in safe mode.
- Terminates security-related processes (i.e. procexp, regmon, autoruns, gmer etc.)
- Blocks access to security and antivirus websites.
- Generates 50,000 malicious URLs and attempts to connect to around 500 random generated URLs at a time.
Recommended Action
- Enable Web Reputation Service
- Make sure that you have the latest virus definitions (at least pattern file 5.885.00)
- Run a FULL system scan to ensure that malware does not exist on your PC
- Apply MS 08-067
- Ensure strong password practice
- Disable autorun.inf for removeable devices
- For file sharing server, don’t share to everyone.
Comments