‘Downandup’ worm hits 3.5 million Windows PCs in 4 days

The Internet has been hit by a rapidly spreading network worm, due to which 3.5 million Windows computers have been infected in the last four days. The worm is being hailed as Downandup, Conficker, or Kido!

It is a vulnerability affecting Microsoft's server service - patched in October 2008 by the company's Security Bulletin, MS08-067 - through which the worm spreads like the plague. Once the worm reaches a machine, it activates an HTTP server to reset the System Restore point of the machine, thereby stopping administrators from deleting it.

Speaking in stricter terms, rather than being one worm, Downandup is a horde of alternates. The usual Trojan package of the worm allows the downloading of new files from the controller's own server. However, the malware generates numerous apparently capricious domain names to scan for updates, and causes difficulty in tracking the controller. By disabling different features like Windows security, networking and updating, the worm shields itself. It modifies networking settings for speeding up its knack of copying itself to other PCs, along with obstructing access to security-related domains.

In a blog post, Christopher Budd, a security program manager at Microsoft Security Response Center, said: "The vulnerability is potentially wormable on older versions of Windows, XP and earlier; we're encouraging customers to test and deploy the update as soon as possible."