Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Back to news

Shadow botnet switches to new operation mode on April 1

March 31, 2009

A new modification of Win32.HLLW.Shadow.based (also known as Kido/Conficker) has been discovered by virus analysts of Doctor Web. The worm ensures operation of the Shadow botnet that is expected to switch to another operation mode on April 1, 2009.

On April 1 2009 malicious software on all computers compromised by Win32.HLLW.Shadow.based will be updated. The worm will generate 50 000 domain names every twenty four hours and use 500 domains from the list to receive instructions regarding its operation. The updating process will be controlled to prevent a significant increase in computing load of hosting servers and make sure that the malicious activities will remain undetected.

There are several ways in which Win32.HLLW.Shadow.based spreads. Typically it gets into a system from a data storage device or from a network drive. The worm also uses the SMB protocol of Windows networks and performs brute force dictionary attacks to access target machines remotely. Besides, it takes advantage of the Windows vulnerability resolved by an update described in the Microsoft Security Bulletin MS08-067.

Doctor Web applies to irresponsible users who don’t care if their machines have been compromised. Inaction causes almost as much damage as Win32.HLLW.Shadow.based itself for your computers become zombies in the botnet that help spread the worm and make the botnet larger.

Users of other anti-viruses are recommended to do the following:

  1. Immediately install all security updates as Win32.HLLW.Shadow.based uses known Windows vulnerabilities.
  2. Update virus databases.
  3. If your anti-virus doesn’t detect the worm or can’t cure the system of the malicious program use the latest version of Dr.Web CureIt! to perform the full scan of your system.

Users of Dr.Web anti-viruses are protected from all modifications of Win32.HLLW.Shadow.based.

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2019

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040