[Malware Advisory] WORM_Downad.KK - Activates on April Fool's Day

Dear All,

We would like to inform you that we have received new updates from our Global Update Center.

Topic: WORM_Downad.KK – Activates on April Fool’s Day

Advisory Release Date: March 18, 2009

Details

Worm_downad had infected more than 15 million computers, making it one of the widespread infections in recent times.

A new variant of worm_downad (aka Conficker) is expected to be launched on April Fool’s day.

Trend Micro detects this new variant as worm_downad.kk. More information can be found at http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DOWNAD.KK&VSect=T. Trend Micro detects this malware starting with pattern file 5.885.00.

Compared to the old variants, worm_downad.kk is more sophisticated. Here are a few of the payloads :

· Connects to various time servers to determine the current date and time.

· Register itself as a system service to ensure auto execution every startup.

· Deletes a registry key to prevent system startup in safe mode.

· Terminates security-related processes (i.e. procexp, regmon, autoruns, gmer etc.)

· Blocks access to security and antivirus websites.

· Generates 50,000 malicious URLs and attempts to connect to around 500 random generated URLs at a time.

_______________________________________________________________________

Recommended Action

· Enable Web Reputation Service

· Make sure that you have the latest virus definitions (at least pattern file 5.885.00)

· Run a FULL system scan to ensure that malware does not exist on your PC

· Apply MS 08-067

· Ensure strong password practice

· Disable autorun.inf for removeable devices

· For file sharing server, don’t share to everyone.