If you are really freaked out, here is a host of info from here at Symantec:
W32.Downadup.C FAQ
Q) Are AV signatures out in the field? If so, how many infections are we talking?
A) Yes, the signature is already in-field. Infection numbers are low, very low compared to previous variants of Downadup
Q) Apart from AV signatures how to I know if I’m infected?
A) Downadup prevent your ability from accessing many security websites. If there is a concern that a machine is infected, attempt to visit the Symantec.com website. If you are unable to, you may need to investigate further. If you are able to, you’re not infected.
Q) Do IPS (network) signatures exist for Downadup?
A) Yes, there are currently a number of signatures being used to detect the propagation of this threat.
MSRPC Server Service BO
MSRPC Server Service BO2
HTTP W32 Downadup Downloader Activity – Still Investigating
The first 2 signatures are meant to block the exploitation of BID 31874. Those are not specific to Downadup.
The 3rd signature is specific to Downadup
Q) Are there additional signatures in the pipeline?
A) Yes, there is another IPS signature being tested right now. If all goes well (no false positives or performance issues) that will be released in the coming days.
That signature will start sending us reviewable data within the next 24 hours. Once sufficient data is received, an update will be made. This signature will only be applicable to newer consumer products.
Q) Do we have a fixtool for this threat?
A) Yes, it can be found here -
http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99
This tool was last updated today. It successfully detects and remediate’s all known infections of Downadup.
Q) Downadup infections block access to Symantec sites. How can someone get to the tool if they are infected?
A) Good question. We are working with others within the industry to address this common problem. More on this when we have an update.
Note - All Symantec fixtools are digitally signed. If someone unofficially stores a tool for personal sharing make sure you ask the person downloading it to verify the digital signature before using.
Q) Is the Symantec ThreatCon going to change because of Downadup?
A) At present we haven't reached our threshold for moving ThreatCon to a higher level. Most of what we're dealing with presently are queries about the threat, and not real infections. If this changes, we will take appropriate action.
• Corporate external landing page
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009033012483648
• Consumer external landing page
http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm
• Downadup.C Threat Write-Up
http://www.symantec.com/security_response/writeup.jsp?docid=2009-030614-5852-99
Q) Anything else I should know?
A) No need to panic. We don't expect anything drastic to happen to the computing world on April 1st 2009. Symantec Security Response is closely monitoring all activity related to Downadup. It is also working with various people in the industry to reduce the impact of unpatched infected machines. We are constantly working to improve our AV and IPS signatures to protect our customers.
________________________________________
3-31-09
Mar-30
As we approach April 1st this threat continues to get additional media coverage, including a report on 60 Minutes with Steve Trilling. To help with this, we have included some additional useful articles:
Deepsight Write-up for W32.Downadup.C (requires login)
https://tms.symantec.com/loaddocument.aspx?fileguid=E5867F5088DE41B9B198D9DAA0D53BC1
Summary: On March 6, 2009, Symantec became aware of a new variant of Downadup. Called W32.Downadup.C, this variant presented substantial code changes to the malware. This analysis document gives a technical description of the malware s capabilities and compares them to its predecessor, W32.Downadup.B.
The Downadup Codex
http://www.symantec.com/content/en/...sponse/whitepapers/the_downadup_codex_ed1.pdf
Summary: Since its emergence in November 2008, we have published 14 blog entries covering the various aspects of the threat—by far the most entries covering a single topic since we started this blog in 2006. With entire entries dedicated to topics from cryptographic protection to Universal Plug and Play, these entries cover the threat quite well. But 14 entries in-and-of-themselves is a lot of material to dig through in blog format.
To address this issue, we have compiled the entries into one location—what we’re calling The Downadup Codex. We’ve even included a new, as-yet unpublished article discussing the threat’s AutoPlay propagation techniques. The paper as a whole is organized in such a way as to provide a historical context to the threat’s emergence, spread, and current state.
Additional Blog Entries released after Codex
Downadup-Related Search Indexes Poisoned with Fake AV Sites
https://forums2.symantec.com/t5/Mal...dexes-Poisoned-with-Fake-AV-Sites/ba-p/393353
Downadup Motivations
https://forums2.symantec.com/t5/Malicious-Code/Downadup-Motivations/ba-p/393335
W32.Downadup.C Bolsters P2P
https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Bolsters-P2P/ba-p/393331
________________________________________
3-30-09
Mar-25
Yesterday CNN published an article regarding this threat and we have fielded quite a bit of questions regarding the renewed interest that this has generated.
Key points:
• Symantec has had detection since March 6th, and has improved detection several times since then.
• Symantec Security Response has seen very low numbers of submissions and infections in the wild.
• Symantec is part of several groups watching this and other threats that might have a global presence.
• At this time there is no evidence to show that this threat poses any major threat to Symantec customers, on April 1st.
Additional reading:
Downadup.C Threat Write-Up
http://www.symantec.com/security_response/writeup.jsp?docid=2009-030614-5852-99
W32.Downadup.C Digs in Deeper
https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/249
A New Downadup Variant?
https://forums2.symantec.com/t5/Malicious-Code/A-New-Downadup-Variant/ba-p/391186
CNN - No joke in April Fool's Day computer worm
http://www.cnn.com/2009/TECH/03/24/conficker.computer.worm/index.html
W32.Downadup.C FAQ
Q) Are AV signatures out in the field? If so, how many infections are we talking?
A) Yes, the signature is already in-field. Infection numbers are low, very low compared to previous variants of Downadup
Q) Apart from AV signatures how to I know if I'm infected?
A) Downadup prevents your ability from accessing many security websites. If there is a concern that a machine is infected, attempt to visit the Symantec.com website. If you are unable to, you may need to investigate further. If you are able to, you’re not infected.
Q) Do IPS (network) signatures exist for Downadup?
A) Yes, there are currently a number of signatures being used to detect the propagation of this threat.
MSRPC Server Service BO
MSRPC Server Service BO2
HTTP W32 Downadup Downloader Activity – Still Investigating
The first 2 signatures are meant to block the exploitation of BID 31874. Those are not specific to Downadup.
The 3rd signature is specific to Downadup
Q) Are there additional signatures in the pipeline?
A) Yes, there is another IPS signature being tested right now. If all goes well (no false positives or performance issues) that will be released in the coming days.
That signature will start sending us reviewable data within the next 24 hours. Once sufficient data is received, an update will be made. This signature will only be applicable to newer consumer products.
Q) Do we have a fixtool for this threat?
A) Yes, it can be found here -
http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99
This tool was last updated today. It successfully detects and remediate’s all known infections of Downadup.
• Corporate external landing page
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009033012483648
• Consumer external landing page
http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm
• Downadup.C Threat Write-Up
http://www.symantec.com/security_response/writeup.jsp?docid=2009-030614-5852-99
Q) Anything else I should know?
A) No need to panic. We don't expect anything drastic to happen to the computing world on April 1st 2009. Symantec Security Response is closely monitoring all activity related to Downadup. It is also working with various people in the industry to reduce the impact of unpatched infected machines. We are constantly working to improve our AV and IPS signatures to protect our customers.
________________________________________
3-31-09
Mar-30
As we approach April 1st this threat continues to get additional media coverage, including a report on 60 Minutes with Steve Trilling. To help with this, we have included some additional useful articles:
Deepsight Write-up for W32.Downadup.C (requires login)
https://tms.symantec.com/loaddocument.aspx?fileguid=E5867F5088DE41B9B198D9DAA0D53BC1
Summary: On March 6, 2009, Symantec became aware of a new variant of Downadup. Called W32.Downadup.C, this variant presented substantial code changes to the malware. This analysis document gives a technical description of the malware s capabilities and compares them to its predecessor, W32.Downadup.B.
