Home / malwarePDF  

Worm:Win32/Conficker.D


First posted on 16 March 2009.
Source: SecurityHome

Aliases :

Worm:Win32/Conficker.D is also known as Also Known As:Win32/Conficker.worm.88064 (AhnLab), Win32.Worm.Downadup.Gen (BitDefender), Win32/Conficker.C (CA), Win32/Conficker.X (ESET), Trojan.Win32.Pakes.ngs (Kaspersky), W32/Conficker.worm.gen.c (McAfee), W32/Conficker.D.worm (Panda), W32/Confick-G (Sophos), W32.Downadup.C (Symantec).

Explanation :

Win32/Conficker.D is a polymorphic worm and variant of Win32/Conficker. Conficker.D infects the local computer, terminates services and blocks access to numerous Web sites. This variant does not spread to removable drives or shared folders across a network. Win32/Conficker infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products. Microsoft strongly recommends that users apply the update referred to in Security Bulletin MS08-067 immediately. Microsoft also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords. More information is available here.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The lack of response from and the termination of the following services:
  • Windows Security Center Service (wscsvc) – notifies users of security settings (e.g. Windows update, Firewall and AntiVirus)
  • Windows Update Auto Update Service (wuauserv)
  • Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
  • Windows Defender (WinDefend)
  • Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
  • Windows Error Reporting Service (wersvc)
  • Users may not be run applications containing the following strings:
    autoruns
    avenger
    confick
    downad
    filemon
    gmer
    hotfix
    kb890
    kb958
    kido
    klwk
    mbsa.
    mrt.
    mrtstub
    ms08-06
    procexp
    procmon
    regmon
    scct_
    sysclean
    tcpview
    unlocker
    wireshark
  • Inability to reach certain security-related Web sites including URLs containing the following strings:
    agnitum
    ahnlab
    anti-
    antivir
    arcabit
    avast
    avgate
    avira
    bothunter
    castlecops
    ccollomb
    centralcommand
    clamav
    comodo
    computerassociates
    conficker
    cpsecure
    cyber-ta
    defender
    downad
    drweb
    dslreports
    emsisoft
    esafe
    eset
    etrust
    ewido
    f-prot
    f-secure
    fortinet
    free-av
    freeav
    gdata
    grisoft
    hackerwatch
    hacksoft
    hauri
    ikarus
    jotti
    k7computing
    kaspersky
    kido
    malware
    mcafee
    microsoft
    mirage
    msftncsi
    msmvps
    mtc.sri
    networkassociates
    nod32
    norman
    norton
    onecare
    panda
    pctools
    prevx
    ptsecurity
    quickheal
    removal
    rising
    rootkit
    safety.live
    securecomputing
    secureworks
    sophos
    spamhaus
    spyware
    sunbelt
    symantec
    technet
    threat
    threatexpert
    trendmicro
    trojan
    virscan
    virus
    wilderssecurity
    windowsupdate
  • If a Web browser time-out occurs when accessing Web sites having the following strings:
    • avg.
    avp.
    bit9.
    ca.
    cert.
    gmer.
    kav.
    llnw.
    llnwd.
    msdn.
    msft.
    nai.
    sans.
    vet.

    Win32/Conficker.D is a polymorphic worm and variant of Win32/Conficker. Conficker.D infects the local computer, terminates services and blocks access to numerous Web sites. This variant does not spread to removable drives or shared folders across a network.

    Installation
    Win32/Conficker.D attempts to copy itself in the Windows system folder as a hidden DLL file using a random name. If the attempt fails, it may then attempt to copy itself with the same parameters in the following folders: %ProgramFiles%Internet Explorer
    %ProgramFiles%Movie Maker It creates the following registry entry to ensure that its dropped copy is run every time Windows starts: Adds value: "<random string>"
    With data: "rundll32.exe <system folder><malware file name>.dll,<malware parameters>"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun Adds value: "<random string>"
    With data: "rundll32.exe <system folder><malware file name>.dll,<malware parameters>"
    To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun It may also load itself as a service that is launched when the netsvcs group is loaded by the system file svchost.exe by adding the generated service to the default list of services found in:HKLMSOFTWAREMicrosoftWindows NTCurrentVersionSvcHost
    etsvcs The service name it uses under the netsvcs group is generated by randomly picking and concatenating an item from List1 and another from List2 below: List1:App
    Audio
    DM
    ER
    Event
    help
    Ias
    Ir
    Lanman
    Net
    Ntms
    Ras
    Remote
    Sec
    SR
    Tapi
    Trk
    W32
    win
    Wmdm
    Wmi
    wsc
    wuau
    xml List2:access
    agent
    auto
    logon
    man
    mgmt
    mon
    prov
    serv
    Server
    Service
    Srv
    srv
    Svc
    svc
    System
    Time It may also load itself as a fake service by registering itself under the following key:
    HKLMSYSTEMCurrentControlSetServices It may use a display name that is created by combining two of the following strings: Boot
    Center
    Config
    Driver
    Helper
    Image
    Installer
    Manager
    Microsoft
    Monitor
    Network
    Security
    Server
    Shell
    Support
    System
    Task
    Time
    Universal
    Update
    Windows It may also combine random characters to create the display name.

    Payload
    Terminates ServicesThis worm terminates several important system services, such as the following:
  • Windows Security Center Service (wscsvc) – notifies users of security settings (e.g. Windows update, Firewall and AntiVirus)
  • Windows Update Auto Update Service (wuauserv)
  • Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
  • Windows Defender (WinDefend)
  • Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
  • Windows Error Reporting Service (wersvc)
    • Deletes Registry ValuesWin32/Conficker.D deletes registry values for Windows Defender, Windows Security Center (WSC) and the Windows safe mode services list.
  • Deleting this value prevents Windows Defender from launching at Windows start:

    Deletes value: "Windows Defender"
    In subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun
  • Deleting this value prevents WSC notifications or alerts from being displayed if the firewall or security programs are disabled (by the worm):

    Deletes value: {FD6905CE-952F-41F1-9A6F-135D9C6622CC}
    In subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionexplorerShellServiceObjects
  • Deleting this value removes the list of services that execute if Windows is started in safe mode:

    Deletes value: SafeBoot
    In subkey: HKLMSYSTEMCurrentControlSetControl
    • Terminates ProcessesWin32/Conficker.D polls the process list every 1 second for these strings and terminates them: autoruns - utility "Autoruns"
    avenger - kernel-mode security utility
    confick - 'Conficker'
    downad - 'Conficker' alias 'Downadup'
    filemon - utility "File Monitor"
    gmer - rootkit detection utility
    hotfix - security update
    kb890 - Microsoft KB article, includes MSRT
    kb958 - Microsoft KB article, includes MS08-067
    kido - 'Conficker' alias 'Kido'
    klwk - Kaspersky utility
    mbsa. - utility "Microsoft Baseline Security Analyzer"
    mrt. - utility "Microsoft Malicious Software Removal Tool"
    mrtstub - utility "Microsoft Malicious Software Removal Tool"
    ms08-06 - Microsoft Security Update MS08-067
    procexp - utility "Process Explorer"
    procmon - utility "Process Monitor"
    regmon - utility "Registry Monitor"
    scct_ - Sophos Conficker Cleanup utility
    sysclean - Trend Micro utility
    tcpview - utility to view TCP connection and traffic
    unlocker - utility to un-lock locked files or folders
    wireshark - network protocol analyzer utility Blocks Access to Web SitesWin32/Conficker.D hooks DNSAPI.DLL to prevent access Web sites containing the following strings in the URL: agnitum
    ahnlab
    anti-
    antivir
    arcabit
    avast
    avgate
    avira
    bothunter
    castlecops
    ccollomb
    centralcommand
    clamav
    comodo
    computerassociates
    conficker
    cpsecure
    cyber-ta
    defender
    downad
    drweb
    dslreports
    emsisoft
    esafe
    eset
    etrust
    ewido
    f-prot
    f-secure
    fortinet
    free-av
    freeav
    gdata
    grisoft
    hackerwatch
    hacksoft
    hauri
    ikarus
    jotti
    k7computing
    kaspersky
    kido
    malware
    mcafee
    microsoft
    mirage
    msftncsi
    msmvps
    mtc.sri
    networkassociates
    nod32
    norman
    norton
    onecare
    panda
    pctools
    prevx
    ptsecurity
    quickheal
    removal
    rising
    rootkit
    safety.live
    securecomputing
    secureworks
    sophos
    spamhaus
    spyware
    sunbelt
    symantec
    technet
    threat
    threatexpert
    trendmicro
    trojan
    virscan
    virus
    wilderssecurity
    windowsupdate Win32/Conficker.D may cause access to time-out to Web sites having the following strings: avg.
    avp.
    bit9.
    ca.
    cert.
    gmer.
    kav.
    llnw.
    llnwd.
    msdn.
    msft.
    nai.
    sans.
    vet. Downloads Arbitrary FilesWin32/Conficker.D obtains the current date/time from the following Web servers: baidu.com
    google.com
    yahoo.com
    ask.com
    w3.org
    facebook.com
    imageshack.us
    rapidshare.com Once a day, Win32/Conficker.D may build one of 50,000 URLs to download files starting on April 1, 2009. The worm uses one of the following top level domains from over 100 different countries, and only visits 500 of the generated URLs within a 24-hour period: .ac
    .ae
    .ag
    .am
    .as
    .at
    .be
    .bo
    .bz
    .ca
    .cd
    .ch
    .cl
    .cn
    .co.cr
    .co.id
    .co.il
    .co.ke
    .co.kr
    .co.nz
    .co.ug
    .co.uk
    .co.vi
    .co.za
    .com.ag
    .com.ai
    .com.ar
    .com.bo
    .com.br
    .com.bs
    .com.co
    .com.do
    .com.fj
    .com.gh
    .com.gl
    .com.gt
    .com.hn
    .com.jm
    .com.ki
    .com.lc
    .com.mt
    .com.mx
    .com.ng
    .com.ni
    .com.pa
    .com.pe
    .com.pr
    .com.pt
    .com.py
    .com.sv
    .com.tr
    .com.tt
    .com.tw
    .com.ua
    .com.uy
    .com.ve
    .cx
    .cz
    .dj
    .dk
    .dm
    .ec
    .es
    .fm
    .fr
    .gd
    .gr
    .gs
    .gy
    .hk
    .hn
    .ht
    .hu
    .ie
    .im
    .in
    .ir
    .is
    .kn
    .kz
    .la
    .lc
    .li
    .lu
    .lv
    .ly
    .md
    .me
    .mn
    .ms
    .mu
    .mw
    .my
    .nf
    .nl
    .no
    .pe
    .pk
    .pl
    .ps
    .ro
    .ru
    .sc
    .sg
    .sh
    .sk
    .su
    .tc
    .tj
    .tl
    .tn
    .to
    .tw
    .us
    .vc
    .vn The generated domain name is first converted to the dot notation, for example, 'aaovt.com' may be converted to '192.168.16.0'. This generated IP address is then used for the URL, according to the following pattern: http://<pseudo-random generated IP>/search?q=%d After a successful download/execution from a generated URL, Win32/Conficker.D lays dormant for four days before resuming URL monitoring again.Additional InformationThis threat is still being investigated - more information will be provided about Win32/Conficker.D as it becomes available.

    Analysis by Vincent Tiu and Jireh Sanico

    Last update 16 March 2009

     

    TOP

    Malware :

    Family: