New Variants of W32.Downadup.B

Symantec has observed an increase in infections relating to W32.Downadup over the holiday period and is urging organizations to apply the patch for Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability as soon as possible.

A new variant of this threat, called W32.Downadup.B, appeared on December 30th and can not only propagate by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability, but can also spread through corporate networks by infecting USB sticks and accessing weak passwords. These propagation methods are nothing new; W32.Spybot, W32.Randex, and W32.Mytob variants all use almost identical methods to spread, but this variant requires more effort to protect corporate networks.

W32.Downadup.B creates an autorun.inf file on all mapped drives so that the threat automatically executes when the drive is accessed. The threat then monitors for drives that are connected to the compromised computer in order to create an autorun.inf file as soon as the drive becomes accessible. The worm also monitors DNS requests to domains containing certain strings and blocks access to those domains so that it will appear that the network request timed out. This means infected users may not be able to update their security software from those websites. This can be problematic as worm authors generally dish out new variants constantly.

Symantec researchers are seeing considerable detections of both variants of W32.Downadup and W32.Downadup.B. As illustrated by the following infection maps based on data from the past 60 days, the infections are geographically quite widespread. The highest infection rates typically correspond to countries with high rates of computer/Internet usage.

Symantec strongly encourages users to patch their system against the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability, take steps to control the execution of applications referenced in the autorun.inf files that may be located on removable and network drives, and enforce a strong password policy on all computers within their networks. Particularly during holiday periods patch updates can be missed and is an opportune time for malware to spread. Consider implementing an automated patch management solution to help mitigate risk.

Click here to obtain more information about how to prevent a threat from spreading using the "AutoRun" feature.

For more detail on the evolution and infection statistics of this threat, check out the earlier Security Response blog posting - W32.Downadup Infection Statistics - posted on January 6th.