W32/Conficker.worm.ge​n.a

This page shows details and results of our analysis on the malware W32/Conficker.worm.gen.a

Overview

This detection is for a worm that exploits the MS08-067 vulnerability as the main vehicle of infection. It also uses other common technique for spreading as underlined in the Method of infeciton section. It also download and execute various files onto the affected system.

Aliases

  • Worm:Win32/Conficker.A (Microsoft)
  • Crypt.AVL (AVG)
  • Mal/Conficker-A (Sophos)
  • Trojan.Win32.Pakes.lxf (F-Secure)
  • Trojan.Win32.Pakes.lxf (Kaspersky)
  • W32.Downadup (Symantec)
  • Worm:Win32/Conficker.B (Microsoft)
  • WORM_DOWNAD.A (Trend Micro)


Minimum DAT

6875 (2012-10-24)

Updated DAT

6965 (2013-01-24)

Minimum Engine

5400.1158

File Length

varies

Description Added

2009-01-06

Description Modified

2013-01-25

Malware Proliferation

Characteristics

-------Updated on Jan 25, 2013 -----------------

Aliases –

  • Microsoft    -    worm:win32/conficker.b
  • Symantec    -    W32.Downadup.B
  • Nod32        -    Win32/Conficker.AA worm (variant)
  • Norman    -    W32/Conficker.CN
  • Kaspersky    -    Net-Worm.Win32.Kido.ih


Characteristics –

 "W32/Conficker.worm.gen.a" is a worm that spreads across a network by exploiting vulnerability in the Windows Server service [Microsoft Security Bulletin MS08-067]. If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drive and weak administrator passwords.

 W32/Conficker.worm.gen.a targets the Microsoft Windows operating system. It uses flaws in Windows software and dictionary attacks on administrator passwords to propagate using a botnet, and has been unusually difficult to counter because it get injected with windows server services.

 W32/Conficker.worm.gen.a runs an HTTP server on a port between 1024 and 10000; the target shell code connects back to this HTTP server to download a copy of the virus in DLL form, which it then attaches to Services.exe and remotely execute copies of themselves through the ADMIN$ share on computers visible over NetBIOS.

W32/Conficker.worm.gen.a disables system security services in order to avoid detection and also tries to flood the network.

Upon execution, the Worm tries to connect the following URL/IP Address through remote port 53/137/http.

  • 8.26.[Removed].26
  • checkip.d[Removed]dns.org
  • 91.198. [Removed].70
  • 216.146. [Removed].70
  • 239.255. [Removed].250
  • 92.242. [Removed].50
  • 17.30. [Removed].192
  • 18.30. [Removed].192
  • 19.30. [Removed].192
  • .....
  • ….
  • ….
  • ….
  • 53.30. [Removed].192
  • 54.30. [Removed].192
  • 55.30. [Removed].192
  • 56.30. [Removed].192

The following are the files dropped by the worm:

  • %WINDIR%\system32\cfqhorbf.dll
  • [Removable drive]:\RECYCLER\S-5-3-[Varies]\jwgkvsq.vmx
  • [Removable drive]:\autorun.inf

This Worm also attempts to create an autorun.inf file on the root of any accessible disk volumes:

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the Worm file via the following command syntax.
;   
   ÅA¯˜ölÜŠq¦…tÎKVWœý¸¤¬     ¬        AcTION       ¬  =     Open folder to view files                  
icon   =     %syStEmrOot%\sySTEM32\sHELL32.Dll         ,4
;­Pr×SoàDWWCfDnhTvVQyaã¾     
;     «GáÊ     
       ;      qTJ¥•r€ÕoÍgwDqçÚJûKEí´û       
shelLExECUte     =RuNdLl32.EXE      .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn ;   
 zD¾pl¿›cà½ÂuDbËyF½ÚG       ¬                   ;      f›yÊlÌÃèŠdGµBwAsUmF ¬ 
;     »Ÿobz²q•GEìªiSøµväF˜Ø¤ò¼fîNŒDs±                       
                       useAuTopLAY      =        1  
;    Fª†g•¿úoÖMÊc°­¹tYcÈìkdQeæØnD§äâÙrˆe…C¿ùlÝ„ôC
‘±jHÙE¼€PšxEAb«¬µÞ˜ãñIzg›AÉdǸæĆ•‘bçÇ     
     
blGkNaAOAStfJarztHQsDTE     =     X
;      Cnˆº´ðôãƒke´j÷gWÚ©ÖçJÇtþ¨iMUÒ‘çtáæVJd                 
;      UNÜaBYùfsÊ c¢a’nGHP¯TpZ¢wo    
;    ûÀzñIhMÖùîVÛXeäõÖrGa§”Z“FySÝIIUìHk¸¡ÍE®fWˆÞLÅ


The following are the registry keys have been added to the system

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oplozkyk
The following registry values have been added to the system
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\2105:TCP: "2105:TCP:*:Enabled:hjbbfaok"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\6962:TCP: "6962:TCP:*:Enabled:imnlzhz"


The above registry entries ensures that the worm create a firewall rule for the TCP port 2105 and 6962 to bypass the normal authentication.

The following are the registry key values modified to the system.


  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: 0x00000001
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: 0x00000002

The above registry confirms that the worm tries to hide itself from the user.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs: '6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto Rasman Remoteaccess Schedule Seclogon SENS Sharedaccess SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt wscsvc xmlprov BITS wuauserv ShellHWDetection helpsvc WmdmPmSN'
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs: '6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto Rasman Remoteaccess Schedule Seclogon SENS Sharedaccess SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt wscsvc xmlprov BITS wuauserv ShellHWDetection helpsvc WmdmPmSN oplozkyk'
  • HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices\\DosDevices\G:: 5C 00 3F 00 3F 00 5C 00 53 00 54 00 4F 00 52 00 41 00 47 00 45 00 23 00 52 00 65 00 6D 00 6F 00 76 00 61 00 62 00 6C 00 65 00 4D 00 65 00 64 00 69 00 61 00 23 00 37 00 26 00 32 00 37 00 37 00 33 00 34 00 36 00 35 00 61 00 26 00 30 00 26 00 52 00 4D 00 23 00 7B 00 35 00 33 00 66 00 35 00 36 00 33 00 30 00 64 00 2D 00 62 00 36 00 62 00 66 00 2D 00 31 00 31 00 64 00 30 00 2D 00 39 00 34 00 66 00 32 00 2D 00 30 00 30 00 61 00 30 00 63 00 39 00 31 00 65 00 66 00 62 00 38 00 62 00 7D 00
  • HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices\\DosDevices\G:: 5C 00 3F 00 3F 00 5C 00 53 00 54 00 4F 00 52 00 41 00 47 00 45 00 23 00 52 00 65 00 6D 00 6F 00 76 00 61 00 62 00 6C 00 65 00 4D 00 65 00 64 00 69 00 61 00 23 00 37 00 26 00 31 00 31 00 63 00 66 00 34 00 38 00 66 00 66 00 26 00 30 00 26 00 52 00 4D 00 23 00 7B 00 35 00 33 00 66 00 35 00 36 00 33 00 30 00 64 00 2D 00 62 00 36 00 62 00 66 00 2D 00 31 00 31 00 64 00 30 00 2D 00 39 00 34 00 66 00 32 00 2D 00 30 00 30 00 61 00 30 00 63 00 39 00 31 00 65 00 66 00 62 00 38 00 62 00 7D 00
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Start: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc\Start: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x0000004F
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x00000051
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Parameters\FirstRun: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Parameters\FirstRun: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Start: 0x00000004


The above registry key values confirms that the worm tries to disable the following security services “Security Center, Automatic Updates, Error Reporting Service, Background Intelligent Transfer Service”


--Updated on December 29, 2011---

Aliases –

    • Kaspersky - Net-Worm.Win32.Kido.ih
    • Microsoft - Worm:Win32/Conficker.C
    • NOD32 - Win32/Conficker.AA
    • Sophos - Mal/Conficker-A

Upon execution, the worm first queries the following websites to get the public IP Address of the infected machines.

    • whatismyip.org through remote port 80
    • checkip.dyndns.org through remote port 80

It broadcasts the following SNMP message on the network:

M-SEARCH * HTTP/1.1
HOST: 239.255.255.250:1900
ST: urn:schemas-upnp-org:device:InternetGatewayDevice:1
MAN: "ssdp:discover"
MX: 3

(router, modem, switch, etc...) with UPNP enabled and the urn:schemas-upnp-org:device:InternetGatewayDevice:1 service, will respond to the SNMP message.

The worm performs further malicious activities based on response from the above request.

The following services are disabled or fail to run:

    • Windows Update Service
    • Background Intelligent Transfer Service
    • Windows Defender
    • Windows Error Reporting Services

It also disables any process that has a module name containing any of the following strings from sending network traffic or data.

virus
spyware
malware
rootkit
defender
microsoft
symantec
norton
mcafee
trendmicro
sophos
panda
etrust
networkassociates
computerassociates

The following registry keys have been added

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List

The following registry values have been added

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\3789:TCP: "3789:TCP:*:Enabled:npqdl"
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\3789:TCP: "3789:TCP:*:Enabled:npqdl"

-------

--Updated on November 2, 2011---

Aliases

  • Kaspersky - Net-Worm.Win32.Kido.ih
  • Microsoft - Worm:Win32/Conficker.B
  • NOD32 - a variant of Win32/Conficker.X
  • Symantec - W32.Downadup.B

The following value has been modified.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
    CheckedValue = 0

The above mentioned registry entries confirms that the Worm prevents the compromised user to view the hidden files and folders in the system.

In order to exploit the vulnerability, the worm attempts to connect to the Administrator account on the remote machine. The worm uses the following passwords to brute force the account:

    99999999
    9999999
    999999
    99999
    88888888
    8888888
    888888
    88888
    77777777
    7777777
    777777
    77777
    66666666
    6666666
    666666
    66666
    55555555
    5555555
    555555
    55555
    44444444
    4444444
    444444
    44444
    33333333
    3333333
    333333
    33333
    22222222
    2222222
    222222
    22222
    11111111
    1111111
    111111
    11111
    0
    0
    0
    987654321
    987654321
    87654321
    7654321
    654321
    54321
    zzzzz
    xxxxx
    qqqqq
    aaaaa
    intranet
    controller
    killer
    games
    private
    market
    coffee
    cookie
    forever
    freedom
    student
    account
    academia
    files
    windows
    monitor
    unknown
    anything
    letitbe
    letmein
    domain
    access
    money
    campus
    explorer
    exchange
    customer
    cluster
    nobody
    codeword
    codename
    changeme
    desktop
    security
    secure
    public
    system
    shadow
    office
    supervisor
    superuser
    share
    super
    secret
    server
    computer
    owner
    backup
    database
    lotus
    oracle
    business
    manager
    temporary
    ihavenopass
    nothing
    nopassword
    nopass
    Internet
    internet
    example
    sample
    love123
    boss123
    work123
    home123
    mypc123
    temp123
    test123
    qwe123
    abc123
    pw123
    root123
    pass123
    pass12
    pass1
    admin123
    admin12
    admin1
    password123
    password12
    password1
    default
    foobar
    foofoo
    temptemp
    testtest
    rootroot
    adminadmin
    mypassword
    mypass
    Login
    login
    Password
    password
    passwd
    zxcvbn
    zxcvb
    zxccxz
    zxcxz
    qazwsxedc
    qazwsx
    q1w2e3
    qweasdzxc
    asdfgh
    asdzxc
    asddsa
    asdsa
    qweasd
    qwerty
    qweewq
    qwewq
    nimda
    administrator
    Admin
    admin
    a1b2c3
    1q2w3e
    1234qwer
    1234abcd
    123asd
    123qwe
    123abc
    123321
    12321
    123123
    1234567890
    123456789
    12345678
    1234567
    123456
    12345

-- Updated October 19, 2011---

Aliases

  • Kaspersky - Net-Worm.Win32.Kido.ih
  • NOD32    - Win32/Conficker.V
  • Ikarus      - Net-Worm.Win32.Kido
  • Microsoft - Worm:Win32/Conficker.gen!A

When executed the Worm it tries to connects to the site max[Removed]nd.com through a remote port 80.

The following registry key has been added to the system.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\IETld
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\BrowserEmulation
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\IETld
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld

The following registry value has been added.

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\]
    3789:TCP: "3789:TCP:*:Enabled:WWW"
  • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
    \AutoDetect: 0x00000000
  • [HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\BrowserEmulation\]
    TLDUpdates: 0x00000001
  • [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\]
    AutoDetect: 0x00000000

A mutex is created to ensure only one instance of the worm is running at a time.

  • Global\4268161276-7

----------------------------------------------------------------------------

-- Update May 19, 2010 --File Information -

  • MD5 - 515EA537628F3371FBAC9A332854062D
  • SHA - C6681B210E720B9BA5BA3DDD189601B1FAA2B531

 

This "W32/Conficker.worm.gen.a" spreads via Local networks and removable media and it is packed with packer.

Upon execution, the worm copies itself into the following locations:

  • %Sysdir%\wnnskeb.dll
  • %RemovableDrive%\RECYCLER\S-5-3-[varies]\jwgkvsq.vmx

And it attempts to create an autorun.inf file on the root any accessible disk volume

  • %RemovableDrive%\autorun.inf

Also it changes the following registry values in attempt to change the windows explorer view settings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue = 0

In order to exploit the vulnerability, the worm attempts to connect to the Administrator account on the remote machine. The worm uses the following passwords to brute force the account:

  • 99999999
  • 9999999
  • 999999
  • 99999
  • 88888888
  • 8888888
  • 888888
  • 88888
  • 77777777
  • 7777777
  • 777777
  • 77777
  • 66666666
  • 6666666
  • 666666
  • 66666
  • 55555555
  • 5555555
  • 555555
  • 55555
  • 44444444
  • 4444444
  • 444444
  • 44444
  • 33333333
  • 3333333
  • 333333
  • 33333
  • 22222222
  • 2222222
  • 222222
  • 22222
  • 11111111
  • 1111111
  • 111111
  • 11111
  • 0
  • 0
  • 0
  • 987654321
  • 987654321
  • 87654321
  • 7654321
  • 654321
  • 54321
  • zzzzz
  • xxxxx
  • qqqqq
  • aaaaa
  • intranet
  • controller
  • killer
  • games
  • private
  • market
  • coffee
  • cookie
  • forever
  • freedom
  • student
  • account
  • academia
  • files
  • windows
  • monitor
  • unknown
  • anything
  • letitbe
  • letmein
  • domain
  • access
  • money
  • campus
  • explorer
  • exchange
  • customer
  • cluster
  • nobody
  • codeword
  • codename
  • changeme
  • desktop
  • security
  • secure
  • public
  • system
  • shadow
  • office
  • supervisor
  • superuser
  • share
  • super
  • secret
  • server
  • computer
  • owner
  • backup
  • database
  • lotus
  • oracle
  • business
  • manager
  • temporary
  • ihavenopass
  • nothing
  • nopassword
  • nopass
  • Internet
  • internet
  • example
  • sample
  • love123
  • boss123
  • work123
  • home123
  • mypc123
  • temp123
  • test123
  • qwe123
  • abc123
  • pw123
  • root123
  • pass123
  • pass12
  • pass1
  • admin123
  • admin12
  • admin1
  • password123
  • password12
  • password1
  • default
  • foobar
  • foofoo
  • temptemp
  • testtest
  • rootroot
  • adminadmin
  • mypassword
  • mypass
  • Login
  • login
  • Password
  • password
  • passwd
  • zxcvbn
  • zxcvb
  • zxccxz
  • zxcxz
  • qazwsxedc
  • qazwsx
  • q1w2e3
  • qweasdzxc
  • asdfgh
  • asdzxc
  • asddsa
  • asdsa
  • qweasd
  • qwerty
  • qweewq
  • qwewq
  • nimda
  • administrator
  • Admin
  • admin
  • a1b2c3
  • 1q2w3e
  • 1234qwer
  • 1234abcd
  • 123asd
  • 123qwe
  • 123abc
  • 123321
  • 12321
  • 123123
  • 1234567890
  • 123456789
  • 12345678
  • 1234567
  • 123456
  • 12345

Also, it connects to the following ip addresses 239.[removed].250 using remote port: 1900

                               ------------------------------

 

When executed, the worm copies itself using a random name to the %Sysdir% folder.

(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32 and %RemovableDrive% = Removable drive inserted into the system)

New variants have been observed dropping copies of themselfs aslo into:

  • %Program Files%\Internet Explorer\[Random].dll
  • %Program Files%\Movie Maker\[Random].dll
  • %All Users Application Data%\[Random].dll
  • %Temp%\[Random].dll
  • %System%\[Random].tmp
  • %Temp%\[Random].tmp

Where [random] is a 4 to 8 long letters only random name.

On NTFS filesystems the dropped files do have often modified access permissions. Access is completely removed on the file for all users and groups. This is done to make detection and cleaning more difficult.

It modifies the following registry key to create a randomly-named service on the affected syetem:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\"ServiceDll" = "Path to worm"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs

Several variants do remove access to the above registry key by changing the key ACLs. This also in an attempt to make detection and removal of the serive key more difficult. The service name is generated dinamically by associating words from an hardcoded list:

  • Boot
  • Center
  • Config
  • Driver
  • Helper
  • Image
  • Installer
  • Manager
  • Microsoft
  • Monitor
  • Network
  • Security
  • Server
  • Shell
  • Support
  • System
  • Task
  • Time
  • Universal
  • Update
  • Windows

It will inject intelf into various running processes. Different variant have been observer injecting into one or more of:

  • svchost.exe
  • explorer.exe
  • services.exe

Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer.

  • hxxp://www.getmyip.org
  • hxxp://getmyip.co.uk
  • hxxp://checkip.dyndns.org
  • hxxp://whatsmyipaddress.com

Attempts to download a malware file from the remote website

hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe

New variants are connecting to various other hosts.

Starts a HTTP server on a random port on the infected machine to host a copy of the worm.

Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm. The http connection is performed on a random port and the file transferred will have an extension of

  • bmp
  • gif
  • jpeg
  • png

Later variants of w32/Conficker.worm do attempt to connect to remote hosts using the local credentials and a list of username retrieved from the target system and a long list of hardcoded passwords. In doing so it may lock down domain accounts where the policy is set to allow only a limited number of wrong passwords.

On succesfully exploited remote systems the worm drops a copy of itself in the $sysdir% folder and creates a scheduled tasks to execute it. It may olso create a copy in the remote "Recycle Bin" folder and an Autorun.inf file.

Using these techniques the worm may replicate on to non vulnerable systems or reinfect previously infected systems after they have been cleaned.

The worm hooks system APIs to prevent access to security websites. A list of some of the locked domains is:

  • ahnlab
  • arcabit
  • avas
  • avg
  • avira
  • avp
  • bit9
  • ca
  • castlecops
  • centralcommand
  • cert
  • clamav
  • comodo
  • computerassociates
  • cpsecure
  • drweb
  • emsisoft
  • esafe
  • eset
  • etrust
  • ewido
  • fortinet
  • f-prot
  • f-secure
  • gdata
  • grisoft
  • hacksoft
  • hauri
  • ikarus
  • jotti
  • k7computing
  • kaspersky
  • mcafee
  • microsoft
  • nai
  • networkassociates
  • nod32
  • norman
  • norton
  • panda
  • pctools
  • prevx
  • quickheal
  • rising
  • sans
  • securecomputing
  • sophos
  • spamhaus
  • sunbelt
  • symantec
  • threatexpert
  • trendmicro
  • vet
  • wilderssecurity
  • windowsupdate

Some security services may also be disabled by the infection.

Symptoms

Presence of above mentioned files and registry activities.

Method of Infection

-------Updated on Jan 25, 2013 -----------------

This worm may be spread by its intended method of infected removable drives. Alternatively this may be installed by visiting a malicious web page (either by clicking on a link), or by the website hosting a scripted exploit which installs the worm onto the user's system with no user interaction.

--Updated on December 29, 2011---

This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate. Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.

It also spread by brute forcing remote systems password and installing scheduled tasks and/or autorun.inf files on the victim.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants