Content
W32/Conficker.worm
- Type
- Virus
- SubType
- Worm
- Discovery Date
- 11/24/2008
- Length
- 58,368 bytes
- Minimum DAT
- 5444 (11/24/2008)
- Updated DAT
- 5800 (11/12/2009)
- Minimum Engine
- 5.2.00
- Description Added
- 11/24/2008
- Description Modified
- 03/11/2009 4:58 PM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
----Update on March 10, 2009---
The risk assessment of this threat has been updated to Low-Profiled due to media attention at
A new variant of W32/Conficker.worm has been seen spreading. It copies itself to the following pathes:
- %Sysdir%\[Random].dll
- %Program Files%\Internet Explorer\[Random].dll
- %Program Files%\Movie Maker\[Random].dll
- %Program Files%\Windows Media Player\[Random].dll
- %Program Files%\Windows NT\[Random].dll
It disables the following services:
- WerSvc
- ERSvc
- BITS
- wuauserv
- WinDefend
- wscsvc
It hooks the following functions in dnsapi.dll :
- Query_Main
- DnsQuery_W
- DnsQuery_UTF8
- DnsQuery_A
It hooks the following functions in ws2_32.dll:
- sendto
The worm deletes the following registry key to disable restarting in safe mode:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
It deletes the following registry keys:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender
It terminates the processes that contains the following strings in name:
- wireshark
- unlocker
- tcpview
- sysclean
- scct_
- regmon
- procmon
- procexp
- ms08-06
- mrtstub
- mrt.
- mbsa.
- klwk
- kido
- kb958
- kb890
- hotfix
- gmer
- filemon
- downad
- confick
- avenger
- autoruns
In order to block users access to security-related domains, prevents network access to any domains that contain the following strings:
- windowsupdate
- wilderssecurity
- virus
- virscan
- trojan
- trendmicro
- threatexpert
- threat
- technet
- symantec
- sunbelt
- spyware
- spamhaus
- sophos
- secureworks
- securecomputing
- safety.live
- rootkit
- rising
- removal
- quickheal
- ptsecurity
- prevx
- pctools
- panda
- onecare
- norton
- norman
- nod32
- networkassociates
- mtc.sri
- msmvps
- msftncsi
- mirage
- microsoft
- mcafee
- malware
- kaspersky
- k7computing
- jotti
- ikarus
- hauri
- hacksoft
- hackerwatch
- grisoft
- gdata
- freeav
- free-av
- fortinet
- f-secure
- f-prot
- ewido
- etrust
- eset
- esafe
- emsisoft
- dslreports
- drweb
- defender
- cyber-ta
- cpsecure
- conficker
- computerassociates
- comodo
- clamav
- centralcommand
- ccollomb
- castlecops
- bothunter
- avira
- avgate
- avast
- arcabit
- antivir
- anti-
- ahnlab
- agnitum
The latest Conficker is known to generate 50,000 domain names using its own generator algorithm. The following is its disassembly snapshot.
The following suffixes are appended to any generated domains. It uses 116 different suffixes for example:
- com.ve
- com.uy
- com.ua
- com.tw
- com.tt
- com.tr
- com.sv
- com.py
- com.pt
- com.pr
- com.pe
- com.pa
- com.ni
- com.ng
- com.mx
- com.mt
- com.lc
- com.ki
- com.jm
- com.hn
- com.gt
- com.gl
- com.gh
- com.fj
- com.do
- com.co
- com.bs
- com.br
- com.bo
- com.ar
- com.ai
- com.ag
- co.za
- co.vi
- co.uk
- co.ug
- co.nz
- co.kr
- co.ke
- co.il
- co.id
- co.cr
-------------------------------------------------------------
When executed, the worm copies itself using a random name to the %Sysdir% folder.
(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)
It modifies the following registry key to create a randomly-named service on the affected syetem:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\"ServiceDll" = "Path to worm"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs
Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer.
- hxxp://www.getmyip.org
- hxxp://getmyip.co.uk
- hxxp://checkip.dyndns.org
- hxxp://whatsmyipaddress.com
Attempts to download a malware file from the remote website: (Rogue Russian site is up but not serving file anymore)
- hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe
Starts a HTTP server on a random port on the infected machine to host a copy of the worm.
Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.
Later variants of w32/Conficker.worm are using scheduled tasks and Autorun.inf file to replicate on to non vulnerable systems or to reinfect previously infected systems after they have been cleaned.
Symptoms
This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.
Users being locked out of directory
Access to admin shares denied
Scheduled tasks being created
Access to security related web sites is blocked.
Method of Infection
This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate.
Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.
Upon detection of this worm the system should be rebooted to clean memory correctly. May require more that one reboot.
Scheduled tasks have been seen to be created on the system to re-activate the worm.
Autorun.inf files have been seen to be used to re-activate the worm.
Removal
Users infected by W32/Conficker.worm should perform an On Demand Scan to remove remnants of the worm in memory using the latest DATs.
Upon detection of W32/Conficker!mem and REBOOT, the W32/Conficker.worm malware components will be removed.
Variants
Variants
N/A
All Information
Overview -
----Update on March 10, 2009---
The risk assessment of this threat has been updated to Low-Profiled due to media attention at
This detection is for a worm that exploits the MS08-067 vulnerability in order to spread. It may also download and execute various files onto the affected system.
Aliases
- Worm:Win32/Conficker.A (Microsoft)
- Crypt.AVL (AVG)
- Mal/Conficker-A (Sophos)
- Trojan.Win32.Pakes.lxf (F-Secure)
- Trojan.Win32.Pakes.lxf (Kaspersky)
- W32.Downadup (Symantec)
- Worm:Win32/Conficker.B (Microsoft)
- WORM_DOWNAD.A (Trend Micro)
Characteristics
Characteristics -
----Update on March 10, 2009---
The risk assessment of this threat has been updated to Low-Profiled due to media attention at
A new variant of W32/Conficker.worm has been seen spreading. It copies itself to the following pathes:
- %Sysdir%\[Random].dll
- %Program Files%\Internet Explorer\[Random].dll
- %Program Files%\Movie Maker\[Random].dll
- %Program Files%\Windows Media Player\[Random].dll
- %Program Files%\Windows NT\[Random].dll
It disables the following services:
- WerSvc
- ERSvc
- BITS
- wuauserv
- WinDefend
- wscsvc
It hooks the following functions in dnsapi.dll :
- Query_Main
- DnsQuery_W
- DnsQuery_UTF8
- DnsQuery_A
It hooks the following functions in ws2_32.dll:
- sendto
The worm deletes the following registry key to disable restarting in safe mode:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
It deletes the following registry keys:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender
It terminates the processes that contains the following strings in name:
- wireshark
- unlocker
- tcpview
- sysclean
- scct_
- regmon
- procmon
- procexp
- ms08-06
- mrtstub
- mrt.
- mbsa.
- klwk
- kido
- kb958
- kb890
- hotfix
- gmer
- filemon
- downad
- confick
- avenger
- autoruns
In order to block users access to security-related domains, prevents network access to any domains that contain the following strings:
- windowsupdate
- wilderssecurity
- virus
- virscan
- trojan
- trendmicro
- threatexpert
- threat
- technet
- symantec
- sunbelt
- spyware
- spamhaus
- sophos
- secureworks
- securecomputing
- safety.live
- rootkit
- rising
- removal
- quickheal
- ptsecurity
- prevx
- pctools
- panda
- onecare
- norton
- norman
- nod32
- networkassociates
- mtc.sri
- msmvps
- msftncsi
- mirage
- microsoft
- mcafee
- malware
- kaspersky
- k7computing
- jotti
- ikarus
- hauri
- hacksoft
- hackerwatch
- grisoft
- gdata
- freeav
- free-av
- fortinet
- f-secure
- f-prot
- ewido
- etrust
- eset
- esafe
- emsisoft
- dslreports
- drweb
- defender
- cyber-ta
- cpsecure
- conficker
- computerassociates
- comodo
- clamav
- centralcommand
- ccollomb
- castlecops
- bothunter
- avira
- avgate
- avast
- arcabit
- antivir
- anti-
- ahnlab
- agnitum
The latest Conficker is known to generate 50,000 domain names using its own generator algorithm. The following is its disassembly snapshot.
The following suffixes are appended to any generated domains. It uses 116 different suffixes for example:
- com.ve
- com.uy
- com.ua
- com.tw
- com.tt
- com.tr
- com.sv
- com.py
- com.pt
- com.pr
- com.pe
- com.pa
- com.ni
- com.ng
- com.mx
- com.mt
- com.lc
- com.ki
- com.jm
- com.hn
- com.gt
- com.gl
- com.gh
- com.fj
- com.do
- com.co
- com.bs
- com.br
- com.bo
- com.ar
- com.ai
- com.ag
- co.za
- co.vi
- co.uk
- co.ug
- co.nz
- co.kr
- co.ke
- co.il
- co.id
- co.cr
-------------------------------------------------------------
When executed, the worm copies itself using a random name to the %Sysdir% folder.
(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)
It modifies the following registry key to create a randomly-named service on the affected syetem:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\"ServiceDll" = "Path to worm"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs
Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer.
- hxxp://www.getmyip.org
- hxxp://getmyip.co.uk
- hxxp://checkip.dyndns.org
- hxxp://whatsmyipaddress.com
Attempts to download a malware file from the remote website: (Rogue Russian site is up but not serving file anymore)
- hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe
Starts a HTTP server on a random port on the infected machine to host a copy of the worm.
Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.
Later variants of w32/Conficker.worm are using scheduled tasks and Autorun.inf file to replicate on to non vulnerable systems or to reinfect previously infected systems after they have been cleaned.
Symptoms
Symptoms -
This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.
Users being locked out of directory
Access to admin shares denied
Scheduled tasks being created
Access to security related web sites is blocked.
Method of Infection
Method of Infection -
This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate.
Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.
Upon detection of this worm the system should be rebooted to clean memory correctly. May require more that one reboot.
Scheduled tasks have been seen to be created on the system to re-activate the worm.
Autorun.inf files have been seen to be used to re-activate the worm.
Removal -
Removal -
Users infected by W32/Conficker.worm should perform an On Demand Scan to remove remnants of the worm in memory using the latest DATs.
Upon detection of W32/Conficker!mem and REBOOT, the W32/Conficker.worm malware components will be removed.
Variants
Variants -
N/A
