Downadup: 9 Million Strong and Growing

Ralph DeFrangesco

According to reports, the Downadup worm, also known as Conficker, has infected nine million PCs around the world. This worm is so virulent that it has infected as many as one million PCs in a 24-hour period. According to Symantec, it has discovered variants, Downadup.A and Downadup.B. The worm appears to affect PCs running Windows XP SP1 the most. However, XP SP2, 2000, 2003, and Vista have been reported to be vulnerable to the threat as well.

 

Symptoms of the worm include account lockout policies being reset automatically, domain controllers responding slowly to client requests, networks unusually congested, and certain Windows services such as automatic updates disabled.

 

To check my PC for the worm, I downloaded the free online version of ActiveScan 2.0 from Panda. The software scans for viruses, worms, spyware and other threats. The download took 2 minutes with my super-fast fiber connection and ran for roughly 70 minutes checking for threats.

 

To remove the worm, Symantec has a removal tool. Since I did not have the worm on any of my PCs, I did not have a chance to use the removal tool. I did read the instructions and they are pretty straightforward. The tool terminates the affected processes, deletes any associated files and cleans the registry.

 

What I really find interesting about this worm is that Microsoft released a patch (MSO8-067) to fix the flaw that this worm exploits back in October of 2008. What this tells me is that people are not applying patches in a timely manner. Although I do not like defending Microsoft, I have to stick up for the company this time around. This is a good example of a vendor releasing a patch and people not taking the time to install it.



Add Comment      Leave a comment on this blog post
Jan 27, 2009 3:54 AM Michael Pilaitis Michael Pilaitis  says:

To re-iterate your point, SANS has a blurb about a group of hospitals that has been hit by this worm several weeks ago.  Appartently, IT Management at the hospitals disabled Windows updates.  It has been over three weeks since the infection and the hospitals are still not fully on-line.

http://www.sans.org/newsletters/newsbites/newsbites.php?vol=11&issue=6&rss=Y#sID201

Mike Pilaitis

Reply
Jan 27, 2009 9:28 AM Ralph DeFrangesco Ralph DeFrangesco  says:

Mike,

Nice post and thank you for the link out to SAN's. I am sure that they are not the only organization to disable Windows updates. Should be interesting to see who else confesses to being affected by the worm.

-Ralph

Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.