BitDefender Online Scanner  

This document explains the I/O errors statistics included in the scan reports.

1. It creates files autorun.inf and RECYCLED\{SID<....>}\RANDOM_NAME.vmx on removable drives and on public network shares

2. It stores itself in the system as a DLL-file with a random name in c:\windows\system32\

3. It registers itself in system services with a random name, creating the following service:

Name: netsvcs

ImagePath: %SystemRoot%\\system32\\svchost.exe -k netsvcs

Then the worm creates the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\"ServiceDll" = "[PathToWorm]"

4. The worm deletes any user-created System Restore points.

5. It tries to attack network computers via random ports, using Microsoft Windows vulnerability MS08-067. The worm then creates a http server on the compromised computer on a random port, for example:

http://[EXTERNAL IP ADDRESS OF INFECTED MACHINE]:[RANDOM PORT]

6. Upon successful exploitation, the other computer will then connect to this URL and download the worm spreading the infection.

7. Downadup then contacts several domains and tries to download additional files onto the compromised computer.