Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.

Symantec Voice of Reason - 14 April 2009

Symantec Security Response has observed that the W32.Downadup worm continues to be active.
  • 14 April, 2009 11:46

<p>Good morning,</p>
<p>Symantec Security Response has observed that the W32.Downadup worm continues to be active. On April 8, 2009 we discovered a new variant that is a slightly modified version of the original W32.Downadup worm. In the previous statement, it was mentioned that the new variant of Downadup (.E) is an update to the older .A variant. Unfortunately, we need to issue a slight correction here. We have confirmed based on further testing that it is machines infected with the .C variant that are being targeted by the new .E variant via the peer-to-peer updating method. The primary objective is to update .C with the new features and drop Waledac binary onto the .C infected machines. W32.Waledac, one of the most active spam bots, steals sensitive information, turns computers into spam zombies, and establishes a back door remote access. Symantec products provide antivirus and IPS protection for Waledac.</p>
<p>It has also been reported, but not verified by Security Response, that a misleading application called Spyware Protect 2009 is also downloaded on some of Symantec’s honeypot systems. We have not seen this in our testing, but it does match what we have talked about previously. See Downadup Motivations.</p>
<p>This new variant reintroduces the MS08-067 exploit vector, which was removed in the .C variant. It includes previously unseen self-removal functionality to remove itself from the infected host on May 3, 2009. The new .E variant includes a slightly different list of URLs used to obtain the IP address of the infected host and also reaches out to a new list of high-profile domains to confirm the current date. When reaching out to these domains the threat is not exploiting any weakness nor downloading any code.</p>
<p>This new .E variant does not appear to include any new infection vectors that might allow the threat to spread faster or onto new machines. Symantec Security Response continues to analyze the file for other functionality. Symantec Security Response has released updated definitions to protect against this new threat and Symantec products with updated definitions will detect and remove the new sample from infected systems.</p>
<p>Symantec Security Response continues to remind users not to be alarmed, but to continue to exercise caution and implement security best practices into their daily routines. These best practices include keeping security patches current, keeping antivirus definitions up to date and being cautious when visiting suspicious Web sites or opening unexpected e-mails and e-mail attachments.</p>
<p>Angela Coombes</p>
<p>Press Contacts:</p>
<p>Angela Coombes</p>
<p>Max Australia</p>
<p>+61 2 9954 3492</p>
<p>Debbie Sassine</p>
<p>+61 2 8820 7158</p>

Most Popular