W32/Conficker.worm.ge​n.c

This page shows details and results of our analysis on the malware W32/Conficker.worm.gen.c

Overview

This detection is for a variant of the Conficker worm.

To propagate, the Conficker family exploits the MS08-067 vulnerability in Microsoft Windows Server Service which may allow for remote code execution. This flaw lies in the improper handling of specially-crafted (malicious) RPC requests and was patched on October 23, 2008.


Minimum DAT

5549 (2009-03-10)

Updated DAT

5760 (2009-10-03)

Minimum Engine

5400.1158

File Length

84,992 Bytes

Description Added

2009-03-10

Description Modified

2009-03-27

Malware Proliferation

Characteristics

When executed, this worm copies itself using a random name to the %Sysdir% folder.

(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)

It modifies the following registry key to create a randomly named service on the affected syetem:

  • Hkey_Local_Machine\System\CurrentControlSet\Services\{random}\Parameters\"ServiceDll" =
    "Path to worm"
  • Hkey_Local_Machine\System\CurrentControlSet\Services\{random}\"ImagePath" = %
    SystemRoot%\system32\svchost.exe -k netsvcs

It deletes the following registry key to prevent booting the machine into safe mode:

  • HKEY_Local_Machine\System\CurrentControlSet\Control\SafeBoot

It attempts to connect to one or more of the following websites to obtain the public ip address of the affected computer.

  • getmyip.org
  • getmyip.co.uk
  • checkip.dyndns.org
  • whatsmyipaddress.com

It may connect to the following sites, probably to increase the hit count for the sites:

  • adsrevenue.net
  • aweber.com
  • clicksor.com
  • doubleclick.com
  • fastclick.com
  • linkbucks.com
  • megaclick.com
  • paypopup.com

The worm starts an HTTP server on a random port on the infected machine to host a copy of the worm. It then continuously scans the subnet of the infected host for vulnerable machines and executes the exploit.

If the exploit is successful, then the remote computer will then connect back to the http server and download a copy of the worm.

Some variants of W32/Conficker.worm are known to use scheduled tasks and Autorun.inf file to replicate on to non vulnerable systems or to reinfect previously infected systems after they have been cleaned.

It terminates the processes that contains the following strings in name:

  • autoruns
  • avenger
  • confick
  • downad
  • filemon
  • gmer
  • hotfix
  • kb890
  • kb958
  • kido
  • klwk
  • mbsa.
  • mrt.
  • mrtstub
  • ms08-06
  • procexp
  • procmon
  • regmon
  • scct_
  • sysclean
  • tcpview
  • unlocker
  • wireshark

Attempts to block users from accessing security related domains that contain the following strings:

  • agnitum
  • ahnlab
  • anti-
  • antivir
  • arcabit
  • avast
  • avgate
  • avira
  • bothunter
  • castlecops
  • ccollomb
  • centralcommand
  • clamav
  • comodo
  • computerassociates
  • conficker
  • cpsecure
  • cyber-ta
  • defender
  • drweb
  • dslreports
  • emsisoft
  • esafe
  • eset
  • etrust
  • ewido
  • f-prot
  • f-secure
  • fortinet
  • free-av
  • freeav
  • gdata
  • grisoft
  • hackerwatch
  • hacksoft
  • hauri
  • ikarus
  • jotti
  • k7computing
  • kaspersky
  • malware
  • mcafee
  • microsoft
  • mirage
  • msftncsi
  • msmvps
  • mtc.sri
  • networkassociates
  • nod32
  • norman
  • norton
  • onecare
  • panda
  • pctools
  • prevx
  • ptsecurity
  • quickheal
  • removal
  • rising
  • rootkit
  • safety.live
  • securecomputing
  • secureworks
  • sophos
  • spamhaus
  • spyware
  • sunbelt
  • symantec
  • technet
  • threat
  • threatexpert
  • trendmicro
  • trojan
  • virscan
  • virus
  • wilderssecurity
  • windowsupdate

This worm generates 50,000 domain names using its own generator algorithm.

The following is its disassembly snapshot:

The following suffixes are appended to any generated domains. It uses 116 different suffixes for example:

  • com.ve
  • com.uy
  • com.ua
  • com.tw
  • com.tt
  • com.tr
  • com.sv
  • com.py
  • com.pt
  • com.pr
  • com.pe
  • com.pa
  • com.ni
  • com.ng
  • com.mx
  • com.mt
  • com.lc
  • com.ki
  • com.jm
  • com.hn
  • com.gt
  • com.gl
  • com.gh
  • com.fj
  • com.do
  • com.co
  • com.bs
  • com.br
  • com.bo
  • com.ar
  • com.ai
  • com.ag
  • co.za
  • co.vi
  • co.uk
  • co.ug
  • co.nz
  • co.kr
  • co.ke
  • co.il
  • co.id
  • co.cr

Binary analysis reveals that this worm will likely trigger on April 1st, by attempting to connect to the domains generated from the above algorithm.

Symptoms

  • File, registry, and network communication referenced in the characteristics section
  • Access to admin shares denied
  • Scheduled tasks being created
  • Access to security related web sites is blocked.

Method of Infection

This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate. Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.

Upon detection of this worm the system should be rebooted to clean memory correctly. May require more that one reboot. Scheduled tasks and Autorun.inf files have been seen to be created on the system to re-activate the worm.

Removal

Users infected by W32/Conficker.worm should perform an On Demand Scan to remove remnants of the worm in memory using the latest DATs.

Upon detection of W32/Conficker!mem and REBOOT, the W32/Conficker.worm malware components will be removed.

 

Variants