Recent outbreak of MS08-67 worm, Downadup/Conflicker has already infected more than 9 million PCs. A special thing about this Microsoft Security Bulletin MS08-67 was that it was released out-of-band, it was given an “Exploitability Index Assessment” of “1 – Consistent exploit code likely” and it allows for Remote Code Execution, in numerous versions of Windows (particularly critical for 2000, XP, and Server 2003).

Downadup uses old trick to spread itself. It has however been found to gain less traction to spread through internet, but once its inside your network…all unpatched systems will be attacked. You must clean all of the computers within your network and then use the Microsoft update to patch, and then again do a full system scan for all files after updating your AV.
Downadup uses random extensions for some of its components so you’ll need to scan all file types on the system once you have disinfected.

It is found more widely to spread through removable media devices using Windows Autorun feature. By placing an Autorun.inf file on a device, an  arbitrary code can be automatically executed without user interaction when the device is connected to a Windows system. Code execution may also take place when the user attempts to browse to the software location with Windows Explorer.

A workaround has been mentioned below:

Disable AutoRun in Microsoft Windows

To effectively disable AutoRun in Microsoft Windows, import the following registry value:


REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"


To import this value, perform the following steps:


* Copy the text
* Paste the text into Windows Notepad
* Save the file as autorun.reg
* Navigate to the file location
* Double-click the file to import it into the Windows registry


Microsoft Windows can also cache the AutoRun information from mounted devices in the MountPoints2 registry key. Restarting Windows after making the registry change is a good idea so that any cached mount points are reinitialized in a way that ignores the Autorun.inf file. Alternatively, the following registry key may be deleted:


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2


Once these changes have been made, all of the AutoRun code execution scenarios described above will be mitigated because Windows will no longer parse Autorun.inf files to determine which actions to take.

You may also need to check W32.Downadup.A and W32.Downadup.B Statistics.

Happy worm fighting!!!

Similar Posts you might be interested in:

• Conficker arrest!!!
• DOWNAD.AD/Conficker- MS08-67 worms
• Microsoft releases MS-08 Dec packed with 28 patches