This detection is for a variant of the Conficker worm.
To propagate, the Conficker family exploits the MS08-067 vulnerability in Microsoft Windows Server Service which may allow for remote code execution. This flaw lies in the improper handling of specially-crafted (malicious) RPC requests and was patched on October 23, 2008.
When executed, this worm copies itself using a random name to the %Sysdir% folder.
(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)
It modifies the following registry key to create a randomly named service on the affected syetem:
It deletes the following registry key to prevent booting the machine into safe mode:
It attempts to connect to one or more of the following websites to obtain the public ip address of the affected computer.
It may connect to the following sites, probably to increase the hit count for the sites:
The worm starts an HTTP server on a random port on the infected machine to host a copy of the worm. It then continuously scans the subnet of the infected host for vulnerable machines and executes the exploit.
If the exploit is successful, then the remote computer will then connect back to the http server and download a copy of the worm.
Some variants of W32/Conficker.worm are known to use scheduled tasks and Autorun.inf file to replicate on to non vulnerable systems or to reinfect previously infected systems after they have been cleaned.
It terminates the processes that contains the following strings in name:
Attempts to block users from accessing security related domains that contain the following strings:
This worm generates 50,000 domain names using its own generator algorithm.
The following is its disassembly snapshot:
The following suffixes are appended to any generated domains. It uses 116 different suffixes for example:
Binary analysis reveals that this worm will likely trigger on April 1st, by attempting to connect to the domains generated from the above algorithm.
This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate. Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.
Upon detection of this worm the system should be rebooted to clean memory correctly. May require more that one reboot. Scheduled tasks and Autorun.inf files have been seen to be created on the system to re-activate the worm.
Users infected by W32/Conficker.worm should perform an On Demand Scan to remove remnants of the worm in memory using the latest DATs.
Upon detection of W32/Conficker!mem and REBOOT, the W32/Conficker.worm malware components will be removed.