When is it going to stop!!.
Yet another variant of Downadup has been detected in the wild. Symantec has called it the W32.Downadup.E variant. Again rated as a Level 2 Threat.
Refer below for the technical details of the worm:
The worm may be downloaded or delivered silently through Web exploits and then executed.
> It patches “tcpip.sys” in order to increase the number of concurrent network connections available on the system.
> The exploitation of the MS08-067 vulnerability, which had not featured in W32.Downadup.C, is now included in W32.Downadup.E.
> This variant also uses the SMB protocol to identify the target system before attempting to exploit it. This is most likely an attempt to increase the chances of successful exploitation.
> The threat exploits weaknesses in certain routers to allow access to compromised machines from external networks. This variant has the UPnP capabilities that that has been seen in previous versions of Downadup.
> It shows a strange behavior as on May 3, 2009, the worm sets itself to be removed when the computer restarts. However, it does not removes the dropped W32.Downadup.C infection.
Writeup Taken from Symantec:
http://www.symantec.com/security_response/writeup.jsp?docid=2009-040823-4919-99
