W32.Downuk Worm Infection – How to Remove from Windows

W32.Downuk Worm Infection – How to Remove from Windows

This article has been created in order to explain what is the W32.Downuk worm, what does it do, how did you get it and how to remove it effectively from your computer.

A new worm has been detected to massively infect computers of victims and spread via compromised executable files that are legitimate. The worm infects executable files and it also infects files within external memory carriers. The main goal of the W32.Downuk worm is to replace bitcoin addresses with ones you have copied and make it so that if you transfer any BitCoins, they can go to the wallet of the cyber-criminals – a rather expensive forced mistake. If you see any detections or randomly created files on your computer, plus changed BitCoin addresses on your clipboard, we advise you to read the following article and learn how to remove the W32.Downuk worm completely from your computer.

Threat Summary

TypeWorm Infection
Short DescriptionAims to steal information from your computer and redirect any BitCoins you may send to the wallet of the hacker, behind it.
SymptomsWhen you copy a targeted BitCoin wallet to send funds to it, the address of the wallet you paste is different from the one you may have copied.
Distribution MethodVia infected flash drives, via malicious objects posted online.
Detection Tool See If Your System Has Been Affected by W32.Downuk


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss W32.Downuk.

W32.Downuk – Infection Method

The W32.Downuk worm may be spread in a lot of ways. The main method which the worm uses is similar to what most worms use to replicate – self-replication via infecting legitimate executable files. This method has been reported by Symantec researchers to be used by the Downuk worm as the infection scans for removable drives (flash drives, memory cards and others) and infects the legitimate or newly created .exe files by injecting malicious code in them.

When the victim executes the malicious executable file, the W32.Downuk worm drops an executable type of file, whose primary purpose is to infect the system it’s ran on by starting automatically as soon as it’s drop. And this cycle of activities helps the W32.Downuk worm to automatically spread from a computer to a computer. The malicious file is often randomly named and it’s dropped in the following directory:

→ %AppData%\Local\Temp\{random A-Z, a-z, 0-9 name}.exe

W32.Downuk Worm – Activity

Once an infection is done, the W32.Downuk worm executes it’s malicious file with a random name. The execution of the file, results in a randomly named folder being created on the victim’s computer. It has the following location:

→ %AppData%\Roaming\{Random name}

Beside creating the folder, the virus also creates the following malicious files in the compromised computer system:

→ %AppData%\Local\Temp\{random A-Z, 0-9}.exe
%AppData%\Roaming\Jqgimq\{random A-Z, 0-9}.exe
%AppData%\Roaming\Jqgimq\{random A-Z, 0-9}.exe
%AppData%\Roaming\Jqgimq\{random A-Z, 0-9}

Each of the randomly named malicious files is responsible for different activities that are performed, likely as a defensive techniques of the virus and obfuscation of the files from antivirus programs.

In addition to this, the virus executes malicious process to set one of the randomly named files to run automatically on Windows boot. This happens by targeting the following Windows registry sub key and adding a registry value string with the following data In it:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”P1UlCXoNlNJ” = “%AppData%\Roaming\Jqgimq\{random A-Z, 0-9, a-z}.exe”

In addition to this, the W32.Downuk worm also creates the following Windows registry sub key and entry:

→ HKEY_CURRENT_USER\Software\{random}\”[DEFAULT]” = “{random}”

One of the purposes of the worm after it has done those activities is to wait for you to connect a removable drive and infect it to spread further.

The primary purpose of the infection, however is to scan your clipboard for any BitCoin addresses you may have copied and replace them with the following malicious BitCoin address:

→ 1BQZKqdp2CV3QV5nUEsqSg1ygegLmqRygj

Remove W32.Downuk Worm from Windows

The removal of this worm can be conducted by either following the manual or the automatic removal instructions below. If you lack experience in performing malware removal, be advised that experts recommend to use an advanced anti-malware program. Such program will not only help you remove the W32.Downuk worm from your computer, but will also detect and remove other malware in the process, if present and ensure that you have future protection against any intrusive programs and threats.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share