Help, I can not access antivirus sites!

by Gary Illyes

Are you unable to access any antivirus website? Windows fails to update your operating system? Is there weird communication on your public or private network?

If one or all of the above symptoms applies to you, we have a bad news: You have a malicious process running on your computer, likely to be the infamous Downadup worm, also known as Conflicker and Kido.

How did you get infected? We don’t know for sure since there are hundreds of methods, but is likely that one of the following methods, as these are the most spread ones:

1. You followed a link in an e-mail to a website where you authorized a download or viewed an e-mail attachment which contained malicious code
2. You got a link from one of your contacts on a messenger software; since it came from one of your contacts, you clicked the link and you arrived on a website which managed to install a malicious application on your PC
3. You downloaded and ran a file from a p2p network, which you believed is something else
4. You gave your USB stick to a friend who’s computer was infected
5. Someone on your network did one of the above

What will Downadup do? It opens your computer for the creators of the worm to let them install rogue apps on your PC. However what will these apps do on your computer, we have no idea. The action which the application will perform can be anything: creating a botnet, collecting personal data, sending SPAM, spying you, really anything.

Since you can not access any antivirus software provider, disinfecting can be very tricky because the domains which hosts the antivirus applications are blocked by the worm.
The only solution which we found and is the simplest possible is a service offered by BitDefender Romania, called BDTools.net or DisinfectTools. This service is free and is not offering total virus protection, but rather a very simple and very effective method to remove Downadup from your computer.

The above website offers some basic knowledge about the worm and an executable which in fact is a plugin for Firefox or an ActiveX plugin for Internet Explorer.
This is a plugin which can be run locally on your PC, without the need to involve more PCs in your disinfecting process, like in Symantec’s Downadup removal tool.
What the plugin will do under less than a minute is to scan your running processes then generate a report. If the worm is found, right clicking on the specific line of the report will let you to delete it.
That simple.

Real protection against the worm doesn’t really exists. The reason is fairly simple: the worm comes packed and encrypted and may fool the anti-virus programs easily. The only timeframe in which the anti-virus programs may be able to block the virus is when the worm installs itself. After installation, the system will can not be disinfected but with the above mentioned service and some other anti-virus vendors’ tools.

What you can do to not become infected is to

1. Be very cautious when following any link, and if possible, make use of the Google Toolbar or Google Chrome which is able to detect whether a website was reported for hosting malicious code
2. If downloading from p2p networks, have an antivirus which has the latest virus definitions and update your Windows with the latest patches
3. Turn off Windows’ “Autoplay” feature because the worm makes use of the autorun.inf files placed on removal drives like a memory stick
4. Choose a complicated password and change it often, if possible bi-weekly
5. If you’re a network admin, keep the server up to date with security patches and assure high level anti-virus protection to the terminals
6. Monitor the traffic on your network. If the level of the traffic is without reason, it might be a sign of malicious software