McAfee > Theat Center > Virus Detail Page

(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)

New variants have been observed dropping copies of themselfs aslo into:

• %Program Files%\Internet Explorer\[Random].dll
• %Program Files%\Movie Maker\[Random].dll
• %All Users Application Data%\[Random].dll
• %Temp%\[Random].dll
• %System%\[Random].tmp
• %Temp%\[Random].tmp

Where [random] is a 4 to 8 long letters only random name.

On NTFS filesystems the dropped files do have often modified access permissions. Access is completely removed on the file for all users and groups. This is done to make detection and cleaning more difficult.

It modifies the following registry key to create a randomly-named service on the affected syetem:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\"ServiceDll" = "Path to worm"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs

Several variants do remove access to the above registry key by changing the key ACLs. This also in an attempt to make detection and removal of the serive key more difficult. The service name is generated dinamically by associating words from an hardcoded list:

• Boot
• Center
• Config
• Driver
• Helper
• Image
• Installer
• Manager
• Microsoft
• Monitor
• Network
• Security
• Server
• Shell
• Support
• System
• Task
• Time
• Universal
• Update
• Windows

It will inject intelf into various running processes. Different variant have been observer injecting into one or more of:

• svchost.exe
• explorer.exe
• services.exe

Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer.

• hxxp://www.getmyip.org
• hxxp://getmyip.co.uk
• hxxp://checkip.dyndns.org
• hxxp://whatsmyipaddress.com

Attempts to download a malware file from the remote website

hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe

New variants are connecting to various other hosts.

Starts a HTTP server on a random port on the infected machine to host a copy of the worm.

Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm. The http connection is performed on a random port and the file transferred will have an extension of

• bmp
• gif
• jpeg
• png

Later variants of w32/Conficker.worm do attempt to connect to remote hosts using the local credentials and a list of username retrieved from the target system and a long list of hardcoded passwords. In doing so it may lock down domain accounts where the policy is set to allow only a limited number of wrong passwords.

On succesfully exploited remote systems the worm drops a copy of itself in the $sysdir% folder and creates a scheduled tasks to execute it. It may olso create a copy in the remote "Recycle Bin" folder and an Autorun.inf file.

Using these techniques the worm may replicate on to non vulnerable systems or reinfect previously infected systems after they have been cleaned.

The worm hooks system APIs to prevent access to security websites. A list of some of the locked domains is:

• ahnlab
• arcabit
• avas
• avg
• avira
• avp
• bit9
• ca
• castlecops
• centralcommand
• cert
• clamav
• comodo
• computerassociates
• cpsecure
• drweb
• emsisoft
• esafe
• eset
• etrust
• ewido
• fortinet
• f-prot
• f-secure
• gdata
• grisoft
• hacksoft
• hauri
• ikarus
• jotti
• k7computing
• kaspersky
• mcafee
• microsoft
• nai
• networkassociates
• nod32
• norman
• norton
• panda
• pctools
• prevx
• quickheal
• rising
• sans
• securecomputing
• sophos
• spamhaus
• sunbelt
• symantec
• threatexpert
• trendmicro
• vet
• wilderssecurity
• windowsupdate

Some security services may also be disabled by the infection.

It also spread by brute forcing remote systems password and installing scheduled tasks and/or autorun.inf files on the victim.

(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)

New variants have been observed dropping copies of themselfs aslo into:

• %Program Files%\Internet Explorer\[Random].dll
• %Program Files%\Movie Maker\[Random].dll
• %All Users Application Data%\[Random].dll
• %Temp%\[Random].dll
• %System%\[Random].tmp
• %Temp%\[Random].tmp

Where [random] is a 4 to 8 long letters only random name.

On NTFS filesystems the dropped files do have often modified access permissions. Access is completely removed on the file for all users and groups. This is done to make detection and cleaning more difficult.

It modifies the following registry key to create a randomly-named service on the affected syetem:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\"ServiceDll" = "Path to worm"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs

Several variants do remove access to the above registry key by changing the key ACLs. This also in an attempt to make detection and removal of the serive key more difficult. The service name is generated dinamically by associating words from an hardcoded list:

• Boot
• Center
• Config
• Driver
• Helper
• Image
• Installer
• Manager
• Microsoft
• Monitor
• Network
• Security
• Server
• Shell
• Support
• System
• Task
• Time
• Universal
• Update
• Windows

It will inject intelf into various running processes. Different variant have been observer injecting into one or more of:

• svchost.exe
• explorer.exe
• services.exe

Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer.

• hxxp://www.getmyip.org
• hxxp://getmyip.co.uk
• hxxp://checkip.dyndns.org
• hxxp://whatsmyipaddress.com

Attempts to download a malware file from the remote website

hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe

New variants are connecting to various other hosts.

Starts a HTTP server on a random port on the infected machine to host a copy of the worm.

Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm. The http connection is performed on a random port and the file transferred will have an extension of

• bmp
• gif
• jpeg
• png

Later variants of w32/Conficker.worm do attempt to connect to remote hosts using the local credentials and a list of username retrieved from the target system and a long list of hardcoded passwords. In doing so it may lock down domain accounts where the policy is set to allow only a limited number of wrong passwords.

On succesfully exploited remote systems the worm drops a copy of itself in the $sysdir% folder and creates a scheduled tasks to execute it. It may olso create a copy in the remote "Recycle Bin" folder and an Autorun.inf file.

Using these techniques the worm may replicate on to non vulnerable systems or reinfect previously infected systems after they have been cleaned.

The worm hooks system APIs to prevent access to security websites. A list of some of the locked domains is:

• ahnlab
• arcabit
• avas
• avg
• avira
• avp
• bit9
• ca
• castlecops
• centralcommand
• cert
• clamav
• comodo
• computerassociates
• cpsecure
• drweb
• emsisoft
• esafe
• eset
• etrust
• ewido
• fortinet
• f-prot
• f-secure
• gdata
• grisoft
• hacksoft
• hauri
• ikarus
• jotti
• k7computing
• kaspersky
• mcafee
• microsoft
• nai
• networkassociates
• nod32
• norman
• norton
• panda
• pctools
• prevx
• quickheal
• rising
• sans
• securecomputing
• sophos
• spamhaus
• sunbelt
• symantec
• threatexpert
• trendmicro
• vet
• wilderssecurity
• windowsupdate

Some security services may also be disabled by the infection.

It also spread by brute forcing remote systems password and installing scheduled tasks and/or autorun.inf files on the victim.