First appearing in October 2008 and currently ranked 24th in the world of online malware, the Downadup virus (also known as Conficker, Downup and Kido) is a type of worm (malicious software) that targets the Microsoft Windows operating system by exploiting the MS08-067 vulnerability.
It has the capability of replicating itself and infecting other files and programs on your computer, as well as spreading to other computers via network shares or removable media. The virus is claimed to affect between 500,000 and 1,000,000 computer users per country; an estimated 15 million users to date including government, corporate and home-computers in over 200 countries have fell victim to this wicked virus.
Known as the largest known computer worm infection since 2003, the virus identifies and uses flaws, bugs and ‘dictionary attacks’ on administrator passwords to spread itself while forming a botnet (a collection of programs connected via the internet that communicate with other similar programs in order to perform tasks) to infect machines on a given network at an alarming rate. Because of its combined use of various advanced malware techniques, it is usually quite difficult to counter and remove the virus.
When installed, the Downadup virus copies itself to your C:\Windows\System32 folder as a random-named DLL file. If it faces any obstacles in copying itself to the Systems32 folder, it instead copies itself to the %ProgramFiles%\Internet Explorer or %ProgramFiles%\Movie Maker folders. Next, it creates a windows service that automatically loads this DLL via svchost.exe every time you turn on your computer; the infection then changes a variety of Windows settings that allow it to efficiently infect other computers over your network or the internet.
Not only does this virus slow down (or completely halt) your PC by stealing hard-disk space and memory, it can also erase your hard-drive, hijack your screen, corrupt or delete data, steal personal information and spam your contacts to spread itself to other users.
Machines that are compromised face a much higher risk of being further infected by other malicious software programs, along with experiencing interferences with network speed and functionality. Although the virus is more problematic for corporate data networks and users, it can also affect the performance and security of home computers.
The following symptoms may indicate the presence of the Downadup virus on your system:
- Automatic resetting of account lockout policies
- Certain Microsoft Windows services are disabled; such as Automatic Updates, Windows Defender, Background Intelligent Transfer Service (BITS) and Windows Error Reporting. The virus does this to prevent you from downloading removal tools or updating your antivirus programs
- Domain controllers respond slowly to client requests.
- Local area networks become congested (network scans result in an ARP flood)
- Inability to access websites related to Windows Update or antivirus software.
The best approach for removing this monstrous infection is to run scans on your system using reliable antivirus software such as Spyunter; detailed reports listing all the infections on your PC are presented to you, and the smooth user interface allows you to easily delete the malicious software from your PC.
Removing the Downadup Virus
Follow the steps given below to remove the Downadup virus manually:
Step 1 – Turn off system restore:
Click Start and open up the Control Panel. Next, click on System and Security>System. Once the ‘System’ Screen appears, click on System Protection in the left tab, and then click on ‘Configure’ in the bottom half of the tab that opens up. The tab that is now displayed shows Restore Settings at the top; simply check ‘Turn Off System Protection’, click OK and exit.
Step 2 – Delete files corrupted by Downadup
Click Start and type the following in the search box (an alternative approach is to press F3 and search for these files):
- * explorer.exe
- * svchost.exe
- * services.exe
- * %System%\[Random].dll
- * %All Users Application Data%\[Random].dll
- * %Program Files%\Internet Explorer\[Random].dll
- * %Program Files%\Movie Maker\[Random].dll
- * %Temp%\[Random].dll
Once you locate the files listed above, delete them by right clicking on each and selecting ‘Delete’.
Step 2 – Delete all registries created by Downadup
Click the Start button, type regedit in the search box and press enter; once the registry window opens up, search and delete all of the following registries related to Downadup:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SvcHost, netsvcs = %Previous data% and %Random%
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHO WALLCheckedValue = dword:00000000
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[random]\ParametersServiceDll = %MalwarePath%
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”[Random Characters]” = “rundll32.exe [RANDOM DLL File], [RANDOM Parameter String]”
Since the manual removal process can be a bit tricky due to its complexity, it should be performed with extreme caution; even the slightest deviation from the instructions could lead to irreparable damage to your system. To ensure hassle-free deletion and complete removal of all traces of the Downadup virus from your system, experts recommend using powerful an antivirus software that is automatically configured to provide optimal immediate and ongoing protection for your PC.
