minimal-minimal

W32/Conficker.worm

W32/Conficker.worm

Threat Detail

  • Malware Type: Virus
  • Malware Sub-type: Win32
  • Protection Added: 2008-11-24
This detection is for a worm that attempts to copy itself to the root of any accessible disk volumes. Additionally it attempts to place an Autorun.inf file on the root of the volume so that it is executed the next time the volume is mounted.

Aliases

  • Microsoft    -    Worm:Win32/Conficker.A
  • Symantec    -    W32.Downadup
  • Nod32        -    Win32/Conficker.D worm
  • Norman    -    W32/Conficker.AU
  • Kaspersky    -    Net-Worm.Win32.Kido.ih
  • F-secure    -    Win32.Worm.Downadup.Gen




----Update on March 10, 2009---

The risk assessment of this threat has been updated to Low-Profiled due to media attention at

http://www.thetechherald.com/article.php/200911/3157/Conficker-Worm-fighting-back-a-new-variant-discovered-disables-security-measures

This detection is for a worm that exploits the MS08-067 vulnerability in order to spread. It may also download and execute various files onto the affected system.

This detection is for a worm that attempts to copy itself to the root of any accessible disk volumes. Additionally it attempts to place an Autorun.inf file on the root of the volume so that it is executed the next time the volume is mounted.


Minimum Engine

5400.1158

File Length

varies

Description Added

2008-11-24

Description Modified

2008-11-24

Malware Proliferation

fpo-ti-severity-legend logo-new-mcafee

-------Updated on Apr 03,2014--------

Aliases –

  • Kaspersky    -    Net-Worm.Win32.Kido.ih
  • Ikarus             -   Worm.Win32.Conficker
  • Microsoft      -   Worm:Win32/Conficker.C
  • Fortinet         -   W32/Kido.BT!worm.im
  • Symantec      -    W32.Downadup.B

Characteristics –

"W32/conficker.worm" is a worm that spreads across a network by exploiting vulnerability in the Windows Server service [Microsoft Security Bulletin MS08-067]. If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drive and weak administrator passwords.

"W32/conficker.worm" targets the Microsoft Windows operating system. It uses flaws in Windows software and dictionary attacks on administrator passwords to propagate using  a botnet, and has been unusually difficult to counter because it get injected with windows server services.

When executed, the worm connects to one of the following sites to check the date and time:

  • myspace.com
  • msn.com
  • ebay.com
  • cnn.com
  • aol.com

The worm connects to one of the following URLs to find the IP address of the infected machine

  • what[Removed]ress.com
  • ip[Removed]n.com
  • fin[Removed]ip.com
  • ipad[Removed]rld.com
  • find[Removed]ress.com
  • my[Removed]ress.com
  • chec[Removed].com
  • chec[Removed].org

The Worm checks for Web URL and IPs:

  • hxxp://www.ge[Removed]p.org       
  • hxxp://www.what[Removed]dress.com
  • hxxp://www.wha[Removed]ip.org      
  • hxxp://che[Removed].org      

The worm then starts an HTTP server on a random port on the infected machine to host a copy of the worm. It then continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.

Further execution of this worm will continue only if the date is before May 3rd 2009.

The following are the files dropped by the worm

  • [%system%\RandomFileName.tmp [Already detected as W32/Conficker.sys]

It creates a service with a random file name using the above file. Once the service is created, the worm deletes the above ".tmp" file.

The worm then patches the following system file in the memory:

  • %System%\drivers\tcpip.sys

This is done to remove the limitation set on the maximum number of TCP connection attempts that can be made by the infected machine.

This worm creates the following mutex to ensure only one instance of the worm is running in memory:

  • Global\[Random Name]

The following registry key value has been added to the system

  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Windows\CurrentVersion\Run

The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

  • HKEY_USERS\S-1-5-21-[Varies]\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL

The above registry confirms that the worm tries to hide itself from the user.

It also uses the links mimicking the hidden folders as a restart mechanism, since every time the user tries to open a folder in Explorer, besides it will execute the malware again.

The Worm tries to hack servers using list of User name and password listed below:

  • intranet 
  • controller
  • killer   
  • games    
  • private  
  • market   
  • coffee   
  • cookie   
  • forever  
  • freedom  
  • student  
  • account  
  • academia 
  • files    
  • windows  
  • monitor  
  • unknown  
  • anything       
  • letitbe        
  • letmein        
  • domain         
  • access         
  • money          
  • campus         
  • explorer       
  • exchange       
  • customer       
  • cluster        
  • nobody         
  • codeword       
  • codename       
  • changeme       
  • desktop        
  • security       
  • secure         
  • public         
  • system         
  • shadow         
  • office         
  • supervisor     
  • superuser      
  • share          
  • super          
  • secret         
  • server         
  • computer       
  • owner          
  • backup         
  • database       
  • lotus          
  • oracle         
  • business       
  • manager        
  • temporary      
  • ihavenopass    
  • nothing        
  • nopassword     
  • nopass         
  • Internet       
  • internet       
  • example        
  • sample         
  • love123        
  • boss123        
  • work123        
  • home123        
  • mypc123        
  • temp123        
  • test123        
  • qwe123         
  • abc123         
  • pw123          
  • root123        
  • pass123        
  • pass12         
  • pass1          
  • admin123       
  • admin12           
  • admin1            
  • password123       
  • password12        
  • password1         
  • default           
  • foobar            
  • foofoo            
  • temptemp          
  • testtest          
  • rootroot          
  • adminadmin        
  • mypassword        
  • mypass            
  • Login             
  • login             
  • Password          
  • password          
  • passwd            
  • zxcvbn            
  • zxcvb             
  • zxccxz            
  • zxcxz             
  • qazwsxedc         
  • qazwsx            
  • q1w2e3            
  • qweasdzxc         
  • asdfgh            
  • asdzxc            
  • asddsa            
  • asdsa             
  • qweasd            
  • qwerty            
  • qweewq            
  • qwewq             
  • nimda             
  • administrator     
  • Admin             
  • admin             
  • a1b2c3            
  • 1q2w3e            
  • 1234qwer          
  • 1234abcd          
  • 123asd            
  • 123qwe            
  • 123abc            
  • 123321            
  • 12321             
  • 123123            
  • 1234567890        
  • 123456789         
  • 12345678          
  • 1234567           
  • 123456            
  • 12345           

The Worm checks for the following products which are installed in the compromised machine:

  • Ccert.
  • sans.                 
  • bit9.                 
  • windowsupdate         
  • wilderssecurity       
  • threatexpert          
  • castlecops            
  • spamhaus              
  • cpsecure              
  • arcabit               
  • emsisoft              
  • sunbelt               
  • securecomputing       
  • rising                
  • prevx                 
  • pctools               
  • norman                
  • k7computing           
  • ikarus                
  • hauri                 
  • hacksoft              
  • gdata                 
  • fortinet              
  • ewido                 
  • clamav                
  • comodo                
  • quickheal             
  • avira                 
  • avast                 
  • esafe                 
  • ahnlab                
  • centralcommand        
  • drweb                 
  • grisoft               
  • nod32                 
  • f-prot                
  • jotti                 
  • kaspersky             
  • f-secure              
  • computerassociates    
  • networkassociates     
  • etrust                
  • panda                 
  • sophos                
  • trendmicro            
  • mcafee                
  • norton                
  • symantec              
  • microsoft             
  • defender              
  • rootkit               
  • malware               
  • spyware               
  • virus     

---------------------------Updated on 8 Nov 2013-------------------------
Aliases –

Kaspersky    -    Trojan.Win32.Genome.adqru
f-secure    -    Worm:W32/Downadup.AI
Microsoft    -    worm:win32/conficker.b
Symantec    -    W32.Downadup.B

 W32/Conficker.worm is a worm that spreads across a network by exploiting vulnerability in the Windows Server service [Microsoft Security Bulletin MS08-067]. If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drive and weak administrator passwords.

 W32/Conficker.worm targets the Microsoft Windows operating system. It uses flaws in Windows software and dictionary attacks on administrator passwords to propagate using a botnet, and has been unusually difficult to counter because it get injected with windows server services.

 W32/Conficker.worm runs an HTTP server on a port between 1024 and 10000; the target shell code connects back to this HTTP server to download a copy of the virus in DLL form, which it then attaches to Services.exe and remotely execute copies of themselves through the ADMIN$ share on computers visible over NetBIOS.

W32/Conficker.worm disables below system services and tries to flood the network for DOS.

  • Security Center
  • Windows Automatic Updates
  • Error Reporting Service
  • Background Intelligent Transfer Service

Upon execution, the Worm tries to connect the following URL through remote port 53/137 and query the DNS to flood the network

  • www.whatismyip.org
  • www.whatsmyipaddress.com
  • www.getmyip.org
  • checkip.dyndns.org

The following are the files dropped by the worm:

  • [Removable drive]:\RECYCLER\S-5-3-[Varies]\jwgkvsq.vmx
  • [Removable drive]:\autorun.inf

This Worm also attempts to create an autorun.inf file on the root of any accessible disk volumes:

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the Worm file via the following command syntax.

 QMgUwjxhRhcnFQC  =  ywoAScVrDlT   
         [   AUTorUN  
   ÅA¯˜ölÜŠq¦…tÎKVWœý¸¤¬     ¬        AcTION     
  ¬  =     Open folder to view files
          
  ¬          icon  =     %syStEmrOot%\sySTEM32\sHELL32.Dll         ,4
;­Pr×SoàDWWCfDnhTvVQyaã¾     
;     «GáÊ      
       ;      qTJ¥•r€ÕoÍgwDqçÚJûKEí´û       
    shelLExECUte     =RuNdLl32.EXE      .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn ;   
 zD¾pl¿›cà½ÂuDbËyF½ÚG   ¬                                                    
;      f›yÊlÌÃèŠdGµBwAsUmF ¬ 
;      »Ÿobz²q•GEìªiSøµväF˜Ø¤ò¼fîNŒDs±                         
                       useAuTopLAY      =        1  
¬      ;      Cnˆº´ðôãƒke´j÷gWÚ©ÖçJÇtþ¨iMUÒ‘çtáæVJd                 
;      UNÜaBYùfsÊ c¢a’nGHP¯TpZ¢wo     
;    ûÀzñIhMÖùîVÛXeäõÖrGa§”Z“FySÝIIUìHk¸¡ÍE®fWˆÞLÅ
  娦AsüNHnÝóZWn gíUK®ÞH›nX                                 
;¬   HtEàGû¿†¶siâS‘‰dpšöD‰ßX»ZeHòhC       
yAPlzwzDWOQuOkdjb =        fTwwFgsQkIuovohIAEhoMk¬
;     ¬ J«O¨ƒ™ÏQ¿CþfCaz¸Âo‹        LkgTMQccsQukegpqMJbGmC      =       NiaNYPlDZlrMApJYhSxkUPAp                            
;
       ÀSÆgZ†Yuf¾KösxaÞÛXàAcfEÿf«çj•lI½®¿zuÈÑqCýkDWVìFÏPoF¥bÞ™
     
‘úNѬiôpívCÃcRDm—BVh¤ôgaWRq³xAšenAGÝpZtnMG¶W  
;  HÖŠJxcâQ×nIãl‘UÉð‡ÐÚLŸch±îŸÇ–½Ë‚Ÿ        ;     pgk³²h¶¾Yár—еa‚†ÂJDGlAkuy¯çSÝEofmj      
          tYtGgOcpNmnREFeVOVYcmXi          =BMlhoTHAdQ¬    
   wu     =      jgQDsI

The following are the registry keys have been added to the system

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List

The following registry values have been added to the system

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\8939:TCP: "8939:TCP:*:Enabled:qbgsdiwe"

The above registry entries ensures that the worm create a firewall rule for the TCP port 8939 to bypass the normal authentication.

The following are the registry key values modified to the system.

  • HKLM\SYSTEM\ControlSet001\Services\BITS\Start: 0x00000003
  • HKLM\SYSTEM\ControlSet001\Services\BITS\Start: 0x00000004
  • HKLM\SYSTEM\ControlSet001\Services\ERSvc\Start: 0x00000002
  • HKLM\SYSTEM\ControlSet001\Services\ERSvc\Start: 0x00000004
  • HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x000000C0
  • HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x000000C1
  • HKLM\SYSTEM\ControlSet001\Services\wscsvc\Start: 0x00000002
  • HKLM\SYSTEM\ControlSet001\Services\wscsvc\Start: 0x00000004
  • HKLM\SYSTEM\ControlSet001\Services\wuauserv\Start: 0x00000002
  • HKLM\SYSTEM\ControlSet001\Services\wuauserv\Start: 0x00000004
  • HKLM\SYSTEM\CurrentControlSet\Services\BITS\Start: 0x00000003
  • HKLM\SYSTEM\CurrentControlSet\Services\BITS\Start: 0x00000004
  • HKLM\SYSTEM\CurrentControlSet\Services\ERSvc\Start: 0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\ERSvc\Start: 0x00000004
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x000000C0
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x000000C1
  • HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\Start: 0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\Start: 0x00000004
  • HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Start: 0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Start: 0x00000004
The above registry key values confirms that the worm tries to disable the following security services “Security Center, Automatic Updates, Error Reporting Service, Background Intelligent Transfer Service”

-----Updated on Dec 20, 2012----------

"W32/Conficker.worm" is a worm that spreads across a network by exploiting vulnerability in the Windows Server service [Microsoft Security Bulletin MS08-067]. If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled.

"W32/Conficker.worm" targets the Microsoft Windows operating system. It uses flaws in Windows software and dictionary attacks on administrator passwords to propagate using a botnet, and has been unusually difficult to counter because it get injected with windows server services.

"W32/Conficker.worm" runs an HTTP server on a port between 1024 and 10000; the target shell code connects back to this HTTP server to download a copy of the virus in DLL form, which it then attaches to Services.exe and remotely execute copies of themselves through the ADMIN$ share on computers visible over NetBIOS

Upon execution, the Worm tries to connect the following URL/IP Address through remote port 53/137/http.

  • www.max[Removed]nd.com
  • reverse.sof[Removed]er.com
  • 26.6. [Removed].131
  • get[Removed]ip.co.uk
  • www.ge[Removed]yip.org
  • checkip.d[Removed]dns.org
  • 174.36. [Removed].186/download/geoip/database/GeoIP.dat.gz


The following are the registry keys have been added to the system


  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
The following registry values have been added to the system
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\9949:TCP: "9949:TCP:*:Enabled:WWW"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\9949:TCP: "9949:TCP:*:Enabled:WWW"


The above registry entries ensures that the worm create a firewall rule for the TCP port to bypass the normal authentication.

  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable: 0x00000000
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable: 0x00000000


The above registry key values confirms that the worm disable the proxy settings

  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: [Binary Data]
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings: [Binary Data]


The following are the registry key values modified to the system.


  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData: "%SYSTEMDRIVE%\Documents and Settings\LocalService\Application Data"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData: "%WINDIR%system32\config\systemprofile\Application Data"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies: "%UserProfile%\Cookies"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies: "%SYSTEMDRIVE%\Documents and Settings\LocalService\Cookies"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History: "%UserProfile%\Local Settings\History"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History: "%SYSTEMDRIVE%\Documents and Settings\LocalService\Local Settings\History"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData: "%SYSTEMDRIVE%\Documents and Settings\LocalService\Application Data"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData: "%WINDIR%system32\config\systemprofile\Application Data"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies: "%UserProfile%\Cookies"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies: "%SYSTEMDRIVE%\Documents and Settings\LocalService\Cookies"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History: "%UserProfile%\Local Settings\History"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History: "%SYSTEMDRIVE%\Documents and Settings\LocalService\Local Settings\History"


The above registry key values confirms that the worm configures default folders to local service.


-----Updated on Nov 22 , 2011-----------

Aliases -

  • Kaspersky - Net-Worm.Win32.Kido.ih
  • NOD32 - a variant of Win32/Conficker.X
  • Ikarus - Net-Worm.Win32.Kido
  • Microsoft - Worm:Win32/Conficker.B

The following file has been added to the system.

  • [Removable Drive:]\RECYCLER\S-5-[varies]\jwgkvsq.vmx

The malware also drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun an executable when the drive is accessed.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The following registry keys have been added to the system.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fuuomyu
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\safqdqya

The following registry value has been added to the system.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\
    4317 = TCP = "4317:TCP:*:Enabled:sdzcw"

The following registry values have been modified .

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSVP\Parameters\StartBlocker = "Global\_RAPI_EVENT_NAME-C3E99E67-3B98-4E7E-91DAB5734F70E6ED"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSVP\Parameters\StartBlocker = ""
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSVP\Parameters\Requests = "RAPIRpc Main-E17294EF-D5EC-40C0-B14DC2CDD7129511"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSVP\Parameters\Requests = ""
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSVP\Parameters\Upcalls = "RAPIRpc Thread-6C1FCF96-AA8F-4B79-8A11E01958C1A170"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSVP\Parameters\Upcalls = ""

---------------------

----Update on March 10, 2009---

The risk assessment of this threat has been updated to Low-Profiled due to media attention at

http://www.thetechherald.com/article.php/200911/3157/Conficker-Worm-fighting-back-a-new-variant-discovered-disables-security-measures

A new variant of W32/Conficker.worm has been seen spreading.  It copies itself to the following pathes:

  • %Sysdir%\[Random].dll
  • %Program Files%\Internet Explorer\[Random].dll
  • %Program Files%\Movie Maker\[Random].dll
  • %Program Files%\Windows Media Player\[Random].dll
  • %Program Files%\Windows NT\[Random].dll

It disables the following services:

  • WerSvc
  • ERSvc
  • BITS
  • wuauserv
  • WinDefend
  • wscsvc

It hooks the following functions in dnsapi.dll :

  • Query_Main
  • DnsQuery_W
  • DnsQuery_UTF8
  • DnsQuery_A

It hooks the following functions in ws2_32.dll:

  • sendto

The worm deletes the following registry key to disable restarting in safe mode:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

It deletes the following registry keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender

It terminates the processes that contains the following strings in name:

  • wireshark
  • unlocker
  • tcpview
  • sysclean
  • scct_
  • regmon
  • procmon
  • procexp
  • ms08-06
  • mrtstub
  • mrt.
  • mbsa.
  • klwk
  • kido
  • kb958
  • kb890
  • hotfix
  • gmer
  • filemon
  • downad
  • confick
  • avenger
  • autoruns

In order to block users access to security-related domains, prevents network access to any domains that contain the following strings:

  • windowsupdate
  • wilderssecurity
  • virus
  • virscan
  • trojan
  • trendmicro
  • threatexpert
  • threat
  • technet
  • symantec
  • sunbelt
  • spyware
  • spamhaus
  • sophos
  • secureworks
  • securecomputing
  • safety.live
  • rootkit
  • rising
  • removal
  • quickheal
  • ptsecurity
  • prevx
  • pctools
  • panda
  • onecare
  • norton
  • norman
  • nod32
  • networkassociates
  • mtc.sri
  • msmvps
  • msftncsi
  • mirage
  • microsoft
  • mcafee
  • malware
  • kaspersky
  • k7computing
  • jotti
  • ikarus
  • hauri
  • hacksoft
  • hackerwatch
  • grisoft
  • gdata
  • freeav
  • free-av
  • fortinet
  • f-secure
  • f-prot
  • ewido
  • etrust
  • eset
  • esafe
  • emsisoft
  • dslreports
  • drweb
  • defender
  • cyber-ta
  • cpsecure
  • conficker
  • computerassociates
  • comodo
  • clamav
  • centralcommand
  • ccollomb
  • castlecops
  • bothunter
  • avira
  • avgate
  • avast
  • arcabit
  • antivir
  • anti-
  • ahnlab
  • agnitum

The latest Conficker is known to generate 50,000 domain names using its own generator algorithm. The following is its disassembly snapshot.

153464a

The following suffixes are appended to any generated domains. It uses 116 different suffixes for example:

  • com.ve
  • com.uy
  • com.ua
  • com.tw
  • com.tt
  • com.tr
  • com.sv
  • com.py
  • com.pt
  • com.pr
  • com.pe
  • com.pa
  • com.ni
  • com.ng
  • com.mx
  • com.mt
  • com.lc
  • com.ki
  • com.jm
  • com.hn
  • com.gt
  • com.gl
  • com.gh
  • com.fj
  • com.do
  • com.co
  • com.bs
  • com.br
  • com.bo
  • com.ar
  • com.ai
  • com.ag
  • co.za
  • co.vi
  • co.uk
  • co.ug
  • co.nz
  • co.kr
  • co.ke
  • co.il
  • co.id
  • co.cr

-------------------------------------------------------------

When executed, the worm copies itself using a random name to the %Sysdir% folder.

(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)

It modifies the following registry key to create a randomly-named service on the affected syetem:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\"ServiceDll" = "Path to worm"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs

Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer.

  • hxxp://www.getmyip.org
  • hxxp://getmyip.co.uk
  • hxxp://checkip.dyndns.org
  • hxxp://whatsmyipaddress.com

Attempts to download a malware file from the remote website: (Rogue Russian site is up but not serving file anymore)

  • hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe

Starts a HTTP server on a random port on the infected machine to host a copy of the worm.

Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.

Later variants of w32/Conficker.worm are using scheduled tasks and Autorun.inf file to replicate on to non vulnerable systems or to reinfect previously infected systems after they have been cleaned.

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate.

Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.

Upon detection of this worm the system should be rebooted to clean memory correctly. May require more that one reboot.

Scheduled tasks have been seen to be created on the system to re-activate the worm.

Autorun.inf files have been seen to be used to re-activate the worm.

 

 

 

 

This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Users being locked out of directory

Access to admin shares denied

Scheduled tasks being created

Access to security related web sites is blocked.