Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: MS08-067 Worm on the Loose - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MS08-067 Worm on the Loose

Symantec has identified W32.Downadup.B as a new worm that is spreading by taking advantage of the RPC vulnerability from MS08-067

It does various things to install and hide itself on the infected computer.  It removes any System Restore points that the user has set and disables the Windows Update Service.  It looks for ADMIN$ shares on the local network and tries to brute force the share passwords with a builtin dictionary.  At this point in time, the worm's purpose appears to be simply to spread and infect as many computers as possible.  After January 1, 2009, it will try to reach out to a variety of web sites to pull down an updated copy of itself.  You can find examples of the domain names in the Symantec W32.Downadup.B writeup.

The general form of the URL that it generates is: http://[GENERATED DOMAIN NAME].[TOP LEVEL DOMAIN]/search?q=%d so you could configure proxy servers or IDS sensors to start looking for "/search?q=%d" to find systems on your network that may have possibly been compromised by this worm.

David Goldsmith

David

78 Posts
Don't forget to whitelist Google when configuring an IDS this way.

http://google.com/search?q=Kees+Leune is a valid URL used to search for (you guessed it) Kees Leune.
Kees

2 Posts
My company is the first one who reported this Virus to Symantec and provided problem dll to them. We've told symantec that A lot of our machine got infected are already patched with MS08-067. Symantec provided DEF file but they return as Linkoptimizer, not downadup.b. We've asked to Symantec to correct this but no response from them.
Anonymous
My company is the first one who reported this Virus to Symantec and provided problem dll to them. We've told symantec that A lot of our machine got infected are already patched with MS08-067. Symantec provided DEF file but they return as Linkoptimizer, not downadup.b. We've asked to Symantec to correct this but no response from them.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!