minimal-minimal

W32/Conficker.worm.gen.d

W32/Conficker.worm.gen.d

Threat Detail

  • Malware Type: Virus
  • Malware Sub-type: Worm
  • Protection Added: 2009-03-11

This detection is for a worm, which exploits the MS08-067 vulnerability in Microsoft Windows Server Service which may allow for remote code execution. This flaw lies in the improper handling of specially-crafted (malicious) RPC requests and was patched on October 23, 2008.


Minimum Engine

5400.1158

File Length

Description Added

2009-03-11

Description Modified

2009-03-11

Malware Proliferation

fpo-ti-severity-legend logo-new-mcafee

When executed, this worm connects to one of the following sites to check the date and time:

  • myspace.com
  • msn.com
  • ebay.com
  • cnn.com
  • aol.com

Further execution of this worm will continue only if the date is before May 3rd 2009.

On successful execution, the worm drops the following file:

It creates a service with a random file name using the above file. Once the service is created, the worm deletes the above ".tmp" file.

The worm then patches the following system file in the memory:

  • %System%\drivers\tcpip.sys

This is done to remove the limitation set on the maximum number of TCP connection attempts that can be made by the infected machine.

Note:

  • %System% is a variable that refers to the System folder
    By default, this is C:\Windows\System32 for Windows XP

This worm creates the following mutex to ensure only one instance of the worm is running in memory:

  • Global\[Random Name]

The worm Connects to one of the following URLs to find the IP address of the infected machine:

  • whatsmyipaddress.com
  • ipdragon.com
  • findmyip.com
  • ipaddressworld.com
  • findmyipaddress.com
  • myipaddress.com
  • checkip.dyndns.com
  • checkip.dyndns.org

The worm then starts an HTTP server on a random port on the infected machine to host a copy of the worm. It then continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.

A combination of the latest DATs and the Engine will be able to detect and remove this threat. Avert recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Stinger - A standalone removal tool has been released to assist in detecting and repairing this threat.

This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate. Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.

This worm may also be downloaded unintentionally by users visiting malicious sites. Distribution channels could include IRC, peer-to-peer networks, email, newsgroups postings, etc.

  • Files, registry, and network communication referenced in the characteristics section