Content

W32/Conficker.worm.gen.b

Type
Virus
SubType
Generic Worm
Discovery Date
01/06/2009
Length
veries, most often between 150,000 and 180,000 bytes
Minimum DAT
5481 (01/01/2009)
Updated DAT
5596 (04/25/2009)
Minimum Engine
5.2.00
Description Added
01/06/2009
Description Modified
02/26/2009 5:03 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

When executed, the worm copies itself using a random name to the %Sysdir% folder.

(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)

It modifies the following registry key to create a randomly-named service on the affected syetem:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\
    ServiceDll = "Path to worm"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\
    ImagePath = %SystemRoot%\system32\svchost.exe -k netsvcs

Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer.

  • hxxp://www.getmyip.org
  • hxxp://getmyip.co.uk
  • hxxp://checkip.dyndns.org
  • hxxp://whatsmyipaddress.com

Attempts to download a malware file from the remote website: (Rogue Russian site is up but not serving file anymore)

  • hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe

Adds an entry to the run key to load on system startup.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    rundll32.exe "%Malware Path%"/[Random]
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    rundll32.exe "%Malware Path%"[Random]

Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.

Attempts to block access to various security related web sites in which the primary domains includes:

  • ahnlab
  • arcabit
  • avas
  • avg
  • avira
  • avp
  • bit9
  • ca
  • castlecops
  • centralcommand
  • cert
  • clamav
  • comodo
  • computerassociates
  • cpsecure
  • drweb
  • emsisoft
  • esafe
  • eset
  • etrust
  • ewido
  • fortinet
  • f-prot
  • f-secure
  • gdata
  • grisoft
  • hacksoft
  • hauri
  • ikarus
  • jotti
  • k7computing
  • kaspersky
  • mcafee
  • microsoft
  • nai
  • networkassociates
  • nod32
  • norman
  • norton
  • panda
  • pctools
  • prevx
  • quickheal
  • rising
  • sans
  • securecomputing
  • sophos
  • spamhaus
  • sunbelt
  • symantec
  • threatexpert
  • trendmicro
  • vet
  • wilderssecurity
  • windowsupdate

Creates a Windows scheduled tasks to load itself using rundll32

Starts a HTTP server on a random port on the infected machine to host a copy of the worm.

 

 

Symptoms

  • File, registry, and network communication referenced in the characteristics section.
  • Access to admin shares denied
  • Scheduled tasks being created
  • Access to security related web sites is blocked.

Method of Infection

This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate.  Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.  Upon detection of this worm the system should be rebooted to clean memory correctly. May require more that one reboot.  Scheduled tasks have been seen to be created on the system to re-activate the worm.

Removal

Users infected by W32/Conficker.worm should perform an On Demand Scan to remove remnants of the worm in memory using the latest DATs.

Upon detection of W32/Conficker!mem and REBOOT, the W32/Conficker.worm malware components will be removed.

 

Variants

Variants

    N/A

All Information

Overview -

-- Update February 26, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.infopackets.com/news/security/2009/20090225_new_conficker_b++_worm_discovered_more_stealth.htm

-- Update February 26, 2009 --

A new variation of Conficker has been identified.  In addition to some minor code optimizations this variant (sometimes referred to as Conficker B++ or Win32/Conficker.c) includes an additional backdoor service as well as some minor changes to the netapi32.dll patch that is applied after infection.  The updated Conficker variant is detected by McAfee as W32/Conficker.worm.gen.b

This detection is for a worm that exploits the MS08-067 vulnerability that exists, in Microsoft Windows Server Service, which may allow for remote code execution. The flaw lies in the improper handling of specially-crafted (malicious) RPC requests.

Characteristics

Characteristics -

When executed, the worm copies itself using a random name to the %Sysdir% folder.

(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)

It modifies the following registry key to create a randomly-named service on the affected syetem:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\
    ServiceDll = "Path to worm"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\
    ImagePath = %SystemRoot%\system32\svchost.exe -k netsvcs

Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer.

  • hxxp://www.getmyip.org
  • hxxp://getmyip.co.uk
  • hxxp://checkip.dyndns.org
  • hxxp://whatsmyipaddress.com

Attempts to download a malware file from the remote website: (Rogue Russian site is up but not serving file anymore)

  • hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe

Adds an entry to the run key to load on system startup.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    rundll32.exe "%Malware Path%"/[Random]
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    rundll32.exe "%Malware Path%"[Random]

Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.

Attempts to block access to various security related web sites in which the primary domains includes:

  • ahnlab
  • arcabit
  • avas
  • avg
  • avira
  • avp
  • bit9
  • ca
  • castlecops
  • centralcommand
  • cert
  • clamav
  • comodo
  • computerassociates
  • cpsecure
  • drweb
  • emsisoft
  • esafe
  • eset
  • etrust
  • ewido
  • fortinet
  • f-prot
  • f-secure
  • gdata
  • grisoft
  • hacksoft
  • hauri
  • ikarus
  • jotti
  • k7computing
  • kaspersky
  • mcafee
  • microsoft
  • nai
  • networkassociates
  • nod32
  • norman
  • norton
  • panda
  • pctools
  • prevx
  • quickheal
  • rising
  • sans
  • securecomputing
  • sophos
  • spamhaus
  • sunbelt
  • symantec
  • threatexpert
  • trendmicro
  • vet
  • wilderssecurity
  • windowsupdate

Creates a Windows scheduled tasks to load itself using rundll32

Starts a HTTP server on a random port on the infected machine to host a copy of the worm.

 

 

Symptoms

Symptoms -

  • File, registry, and network communication referenced in the characteristics section.
  • Access to admin shares denied
  • Scheduled tasks being created
  • Access to security related web sites is blocked.

Method of Infection

Method of Infection -

This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate.  Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.  Upon detection of this worm the system should be rebooted to clean memory correctly. May require more that one reboot.  Scheduled tasks have been seen to be created on the system to re-activate the worm.

Removal -

Removal -

Users infected by W32/Conficker.worm should perform an On Demand Scan to remove remnants of the worm in memory using the latest DATs.

Upon detection of W32/Conficker!mem and REBOOT, the W32/Conficker.worm malware components will be removed.

 

Variants

Variants -

    N/A