Avast WEBforum

Other => General Topics => Topic started by: Marc57 on March 09, 2009, 05:21:03 AM

Title: Symantec Warns of Worm's Return
Post by: Marc57 on March 09, 2009, 05:21:03 AM

A third version of Downadup has been identified by Symantec, which says the new variant gives infected machines more powerful instructions to disable antivirus software and analysis tools, among other actions.

http://www.pcworld.com/article/160872/article.html?tk=nl_dnxnws

Title: Re: Symantec Warns of Worm's Return
Post by: CharleyO on March 09, 2009, 06:08:30 AM

***

Thanks for posting this information, Marc.   :)


***

Title: Re: Symantec Warns of Worm's Return
Post by: polonus on March 09, 2009, 03:03:10 PM

Hi Marc & CharleyO,

Yes Conficker-C digs in deeper and kills all these processes when found:
ny processes found on an infected machine that contain an antivirus or security analysis tool string from the list below are killed:

•    wireshark
•    unlocker
•    tcpview
•    sysclean
•    scct_
•    regmon
•    procmon
•    procexp
•    ms08-06
•    mrtstub
•    mrt.
•    mbsa.
•    klwk
•    kido
•    kb958
•    kb890
•    hotfix
•    gmer
•    filemon
•    downad
•    confick
•    avenger
•    autoruns
Also has another registration algorythm. Shortly the third version represented in the Downadup.C module is designed mainly to provide more protective actions to infected Windows-based machines so they can better defend themselves from anti-virus software and other eradication methods.

"It's more aggressive, it has more services, but only for those already infected with the previous worm"

polonus