Unfortunately, if your system was patched successfully, no worm could have used the windows vulnerability associated with the
wuampdr.exe exploit. If you think you were updating, maybe you did not reboot and got infected before you last turned it off.
Good Antivirus may have caught it, but if you reinstalled windows, or did not get the patch, or some such thing, it let you get infected. Bottom line, the only way to get that infection is to NOT be patched --
<TABLE cellSpacing=0 cellPadding=2 width=515 border=0><!-- Quick Links section --><TBODY><TR><TD bgColor=#ffffff colSpan=4><TABLE cellSpacing=0 cellPadding=0 border=0><TBODY><TR><TD>
QUICK LINKS </TD><TD>
Understanding New Pattern Format <!-- | Automatic Removal Instructions --><!-- | Manual Removal Instructions -->| Printer Friendly Page
</TD></TR></TBODY></TABLE></TD></TR><TR><TD bgColor=#ffffff colSpan=4><HR align=center width="100%" noShade SIZE=1></TD></TR><!-- Summary Table --><TR><TD vAlign=top width=258><TABLE cellSpacing=0 cellPadding=1 width="100%" border=0><TBODY><TR><TD vAlign=top>Malware type: Worm</TD></TR><TR><TD>
</TD></TR><TR><TD vAlign=top>Aliases: Malware.h, W32.Spybot.Worm</TD></TR><TR><TD>
</TD></TR><TR><TD vAlign=top>In the wild: Yes</TD></TR><TR><TD>
</TD></TR><TR><TD vAlign=top>Destructive: No</TD></TR><TR><TD>
</TD></TR><TR><TD vAlign=top>Language: English</TD></TR><TR><TD>
</TD></TR><TR><TD vAlign=top>Platform: Windows 2000, XP</TD></TR><TR><TD>
</TD></TR><TR><TD vAlign=top>Encrypted: No</TD></TR><TR><TD>
</TD></TR><!-- <tr><td valign="top">Pattern file needed: 2.726.01</td></tr> <tr><td>/global/common/images/px.gif</td></tr> //--><!-- <tr><td valign="top">Scan engine needed: 6.810</td></tr> <tr><td>/global/common/images/px.gif</td></tr> --></TBODY></TABLE></TD><TD vAlign=top width=257><TABLE cellSpacing=0 cellPadding=1 width="100%" border=0><TBODY><TR><TD vAlign=top width="50%">Overall risk rating:</TD><TD vAlign=center width="18%">
</TD><TD>Low </TD></TR><TR><TD colSpan=3 height=2><HR color=#cccccc noShade SIZE=1></TD></TR><TR><TD vAlign=top>Reported infections:</TD><TD>
</TD><TD>Low </TD></TR><TR><TD colSpan=3>
</TD><TR><TD vAlign=top>Damage potential:</TD><TD>
</TD><TD>High </TD></TR><TR><TD colSpan=3>
</TD></TR><TR><TD>Distribution potential:</TD><TD>
</TD><TD>High </TD></TR><TR><TD colSpan=2>
</TD></TR></TBODY></TABLE></TD></TR><TR><TD colSpan=4><HR align=center width="100%" noShade SIZE=1></TD></TR><TR><TD width=515 colSpan=2><!-- Details section -->Description:
Upon execution, this memory-resident worm drops a copy of itself as the file WUAMPDR.EXE in the Windows system folder.
This worm takes advantage of the Windows LSASS vulnerability to propagate. The said vulnerability is discussed in detail in the following page:
This worm also has backdoor capabilities. Using a random port, it acts as an Internet Relay Chat (IRC) bot that connects to a remote IRC server and joins a specific IRC channel, where it listens for certain commands coming from a remote malicious user.
It also attempts to steal CD keys of certain popular games, as well as the Windows product registration key. It also launches a denial of service (DoS) attack using several flooding methods.
<TABLE cellSpacing=0 cellPadding=0 width="100%" background=/global/common/images/bg-dotted-h.gif border=0><TBODY><TR><TD>
</TD></TR></TBODY></TABLE>
For additional information about this threat, see:
Solution
Technical Details
Statistics
</TD></TR></TBODY></TABLE>