|
|||||
BitDefender Antivirus v10
BitDefender releases the Downadup removal toolShort description of the Downadup/Conficker/Kido behaviour:
1. It creates files autorun.inf and RECYCLED\{SID<....>}\RANDOM_NAME.vmx on removable drives and on public network shares
2. It stores itself in the system as a DLL-file with a random name in c:\windows\system32\
3. It registers itself in system services with a random name, creating the following service:
Name: netsvcs
ImagePath: %SystemRoot%\\system32\\svchost.exe -k netsvcs
Then the worm creates the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\"ServiceDll" = "[PathToWorm]"
4. The worm deletes any user-created System Restore points.
5. It tries to attack network computers via random ports, using Microsoft Windows vulnerability MS08-067. The worm then creates a http server on the compromised computer on a random port, for example:
http://[EXTERNAL IP ADDRESS OF INFECTED MACHINE]:[RANDOM PORT]
6. Upon successful exploitation, the other computer will then connect to this URL and download the worm spreading the infection.
7. Downadup then contacts several domains and tries to download additional files onto the compromised computer.
Filename Format String VulnerabilityThe vulnerability is caused due to a format string error when generating the scan report file. This can potentially be exploited to execute arbitrary code when a file or directory containing format string specifiers in its name (e.g. %.8X%.8X) is scanned.
Showing articles from 31 to 32 of 32
Page 1 Page 2 Page 3 Page 4