Home / malware

PDF

Worm:Win32/Conficker.B

First posted on 15 February 2019.
Source: Microsoft

Aliases :

Worm:Win32/Conficker.B is also known as TA08-297A, CVE-2008-4250, VU827267, Win32/Conficker.A, Mal/Conficker-A, Trojan.Win32.Agent.bccs, W32.Downadup.B, Confickr.

Explanation :

Installation

Worm:Win32/Conficker.B tries to copy itself in the Windows system folder as a hidden DLL file using a random name. If it fails, it can then try to copy itself with the same parameters in the following folders:

%ProgramFiles% Internet Explorer %ProgramFiles% Movie Maker

It creates the following registry entry to ensure that its dropped copy is run every time Windows starts:

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Sets value: ""
With data: "rundll32.exe .dll,"

It can also load itself as a service that is launched when the netsvcs group is loaded by the system file svchost.exe.

It can also load itself as a fake service by registering itself under the following key:

HKLMSYSTEMCurrentControlSetServices

It uses a display name that is created by combining two of the following strings:

Boot Center Config Driver Helper Image Installer Manager Microsoft Monitor Network Security Server Shell Support System Task Time Universal Update Windows

It can also combine random characters to create the display name.

Spreads through...

Network shares with weak passwords

Worm:Win32/Conficker.B tries to infect PCs within the network.

It first tries to drop a copy of itself in a target PC's ADMIN share using the credentials of the currently logged-on user.

If this method is unsuccessful, for example, the current user does not have the necessary rights, it instead obtains a list of user accounts on the target PC. It then tries to connect to the target PC using each user name and the following weak passwords:

00000000 0000000 00000 0000 000 00 0987654321 0 11111111 1111111 111111 11111 1111 111 11 123123 12321 123321 1234567890 123456789 12345678 1234567 123456 12345 1234 1234abcd 1234qwer 123 123abc 123asd 123qwe 12 1 1q2w3e 21 22222222 2222222 222222 22222 2222 222 22 2 321 33333333 3333333 333333 33333 3333 333 33 3 4321 44444444 4444444 444444 44444 4444 444 44 4 54321 55555555 5555555 555555 55555 5555 555 55 5 654321 66666666 6666666 666666 66666 6666 666 66 6 7654321 77777777 7777777 777777 77777 7777 777 77 7 87654321 88888888 8888888 888888 88888 8888 888 88 8 987654321 99999999 9999999 999999 99999 9999 999 99 9 a1b2c3 aaa aaaa aaaaa abc123 academia access account admin123 admin12 admin1 Admin adminadmin administrator anything asddsa asdfgh asdsa asdzxc backup boss123 business campus changeme cluster codename codeword coffee PC controller cookie customer database default desktop domain example exchange explorer file files foo foobar foofoo forever freedom fuck games home123 home ihavenopass Internet intranet job killer letitbe letmein Login lotus love123 manager market money monitor mypass mypassword mypc123 nimda nobody nopass nopassword nothing office oracle owner pass123 pass12 pass1 pass passwd password123 password12 password1 Password private public pw123 q1w2e3 qazwsx qazwsxedc qqq qqqq qqqqq qwe123 qweasd qweasdzxc qweewq qwerty qwewq root123 root rootroot sample secret secure security server shadow share sql student super superuser supervisor system temp123 temp temporary temptemp test123 test testtest unknown web windows work123 work xxx xxxx xxxxx zxccxz zxcvb zxcvbn zxcxz zzz zzzz zzzzz

If Win32/Conficker.B successfully accesses the target PC, for example, if a combination of any of the user names and one of the above passwords gives the worm write privileges to the PC, it copies itself to an accessible admin share as ADMINSystem32.dll.

Remote scheduled job

After infecting a PC remotely, Win32/Conficker.B creates a remotely schedule job with the command rundll32.exe .dll, to activate the copy, as shown in the images below:

Mapped and removable drives

Worm:Win32/Conficker.B can drop a copy of itself in all mapped and removable drives using a random file name. The worm creates a folder in the root of these drives named RECYCLER (in Windows XP and previous versions, the folder RECYCLER references the Recycle Bin). Next, the worm copies itself as the following:

RECYCLERS-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d.dll

Where %d is a randomly chosen letter. The worm also drops a corresponding autorun.inf file, which enables the worm copy to run if the drive is accessed and Autoplay is enabled. This autorun.inf file is detected as Worm:Win32/Conficker.B!inf.

The image below illustrates how a user could potentially launch the worm when accessing an infected share:

Note that the language in the first option suggests the user could 'Open folder to view files' however the option is under 'Install or run program', an indication that opening the folder will actually run an application. Another hint that the action is to run the worm is the text 'Publisher not specified'. The highlighted choice under 'General options' in the image above would let a user to view the share and not run the worm copy.

MS08-067 HTTP 'call back'

Worm:Win32/Conficker.B spreads to PCs that are not yet patched against a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, the worm instructs the target PC to download a copy of the worm from the host PC via HTTP protocol using the random port between 1024 and 10000 opened by the worm. The vulnerability is documented in Microsoft Security Bulletin MS08-067.

Payload

Changes system settings

Worm:Win32/Conficker.B changes system settings so that the user cannot view hidden files. It does this by changeing the following registry entry:

In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionexplorerAdvancedFolderHiddenSHOWALL
Sets value: "CheckedValue"
With data: "0"

It also changes the system's TCP settings to let a large number of simultaneous connections, where 0x00FFFFFE is hexadecimal and equals 16,777,214 decimal value:

In subkey: HKLMSYSTEMCurrentControlSetServicesTcpipParameters
Sets value: "TcpNumConnections"
With data: "0x00FFFFFE"

The worm drops a temp file to aid restarting the TCP/IP service for the change to take effect. The dropped file is detected as Trojan:WinNT/Conficker.B.

Disables TCP/IP tuning, stops and disables services

Win32/Conficker.B disables Windows Vista TCP/IP auto-tuning by running the following command:

netsh interface tcp set global autotuning=disabled

This worm stops several important services, like the following:

Windows Security Center Service (wscsvc) – notifies users of security settings (for example, Windows update, Firewall and AntiVirus) Windows Update Auto Update Service (wuauserv) Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth Windows Defender (WinDefend) Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience Windows Error Reporting Service (wersvc)

Win32/Conficker.B deletes the registry key for Windows Defender, disabling it from running when the system starts.

In subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Deletes value: "Windows Defender"

It also disables any process that has a module name containing any of the following strings from sending network traffic or data (most of these strings are related to antivirus and security software, thus effectively disabling the products from getting signature updates, and possibly preventing users from accessing websites with these strings in the URL):

ahnlab arcabit avast avira castlecops centralcommand clamav comodo PCassociates cpsecure defender drweb emsisoft esafe eset etrust ewido f-prot f-secure fortinet gdata grisoft hacksoft hauri ikarus jotti k7computing kaspersky malware mcafee microsoft networkassociates nod32 norman norton panda pctools prevx quickheal rising rootkit securecomputing sophos spamhaus spyware sunbelt symantec threatexpert trendmicro virus wilderssecurity windowsupdate

Resets system restore point

Win32/Conficker.B might reset the PC's system restore point, potentially preventing recovery using System Restore.

Checks for Internet connectivity

Win32/Conficker.B checks if the system has an Internet connection by trying to connect to the following websites:

aol.com cnn.com ebay.com msn.com myspace.com

Downloads files

Depending on the system date, Win32/Conficker.B can build a URL to download files starting on January 1, 2009. The generated URL has a domain name that is based on the current system date. It uses one of the following top level domains:

.cc .cn .ws .com .net .org .info .biz

For example, aaovt.com or aasmlhzbpqe.com.

The generated domain name is first converted to the dot notation, for example, aaovt.com might be converted to 192.168.16.0. This generated IP address is then used for the URL, according to the following pattern:

http:///search?q=%d

Some examples of the constructed URLs are as follows:

aaovt.com aasmlhzbpqe.com addgv.com ajsxarj.org apwzjq.ws aradfkyqv.org arztiwbeh.cc baixumxhmks.ws bfwtjrto.org bfwvzxd.info bmaeqlhulq.cc byiiureq.cn cbizghsq.cc cbkenfa.org ciabjhmosz.cc cruutiitz.com ctnlczp.org ctohyudfbm.cn dcopyoojw.com djdgnrbacwt.ws dmwemynbrmz.org dofmrfqvis.cn doxkknuq.org dozjritemv.info dyjsialozl.ws eaieijqcqlv.org eewxsvtkyn.net eidqdorgmbr.net eiqzepxacyb.cn ejdmzbzzaos.biz ejmxd.com ejzrcqqw.net ekusgwp.cc eprhdsudnnh.biz evmwgi.ws falru.net fctkztzhyr.org fdkjan.net fhfntt.org fhspuip.biz fjpzgrf.net fkzdr.cn ftjggny.com fuimrawg.info ghdokt.cn glbmkbmdax.biz gmhkdp.org gocpopuklm.org grwemw.biz gtzaick.cc gxzlgsoa.info gypqfjho.info hduyjkrouop.info hfgxlzjbfka.biz hkgzoi.com hliteqmjyb.net hmdtv.ws hoyolhmnzbs.net hprfux.cc hqbttlqr.org hueminaii.org hvogkfiq.info ifylodtv.ws iivsjpfumd.ws ilksbuv.cn imuez.biz izxvu.biz jaumgubte.biz jhbeiiizlfk.cn jrdzx.cc jshkqnnkeao.biz judhei.com jxfiysai.cc jzoowlbehqn.info karhhse.com kbyjkjkbb.info kjsxokxg.org krudjhvk.org kuiwtbfa.org lauowjef.cn lhirjymcod.net liugwg.net lksvlouw.ws llgkuclk.info lnpsesbcm.cn lssvxqkqfmf.org lygskbx.cc mafwkeat.cn mgqrrsxhnj.com mhklpsbuh.cc mknuzwq.cc mqjkzbov.net myfhc.com navjrj.org nbpykcdsoms.com ncbeaucjxd.org npfxmztnaw.cn nuiptipwjj.cc nvpmfnlsh.ws oagwongs.ws odvsz.net okkpuzqck.ws oqolfrjq.cn orduhippw.cn orpngykld.com orxfq.ws othobnrx.org otnqqaclsgx.info otukeesevg.biz pbfhhhvzkp.cc pbpigz.cn pcnpxbg.cc pdfrbmxh.biz pfdthjxs.cc phaems.cc phetxwmjqsj.cc pmanbkyshj.ws pnjlx.cc ppzwqcdc.cc psabcdq.cc ptdlwsi.cn pvowgkgjmu.biz pwsjbdkdewv.info qbuic.com qdteltj.org qeotxrp.com qfeqsagbjs.biz qfhqgciz.org qfogch.com qijztpxaxk.cn qlqrgqordj.ws qpiivu.cn qpuowsw.cc qqbbg.cc qrrzna.net qvrgznvvwz.ws qwdervbq.org qwnydyb.cc qzbpqbhzmp.com rkfdx.org rpphv.org rskvraofl.info ryruatsot.biz sdkhznqj.info sezpo.org sfozmwybm.com skwmyjq.org solmpem.com sqmsrvnjits.cc stlgegbye.net syryb.org tdwrkv.ws tfpazwas.cc tigeseo.org tjyhrcfxuc.cn tkbyxr.ws tlmncy.cn tmlwmvv.ws tnerivsvs.net tomxoa.org trpkeyqapp.net tyjtkayz.com uazlwwiv.org ucgqvyjgpk.cn uixvflbyoyi.biz ujawdcoqgs.org upxva.net uuvjh.biz uzugvbnvs.cn vgmkhtux.ws vjllpcucnp.cn vkgxgxto.com vwiualt.com waxggypgu.org wccckyfrtf.net wfdnvlrcb.org whjworuc.com wmiwxt.biz wohms.biz wqqfbutswyf.info wsdlzmpbwhj.net xiclytmeger.cc xkjdzqbxg.cn xldbmaztfu.biz xlwcv.cn xqbovbdzjz.info xwbubjmhinr.info yfpdcquil.info yfybk.ws yhrpqjhp.biz yoblqeruib.org yoyze.cc yshpve.cc ysrixiwyd.com ytfvksowgul.org ywsrtetv.org yzymygez.biz zcwjkxynr.com zfgufbxi.net zkimm.info zmoeuxuh.ws zokxy.net zqrsbqzhh.cc zttykt.info zutykstmrxq.ws

It checks the system date if it is January 1, 2009 or later. It also checks the following websites for the date, presumably for verification:

baidu.com google.com yahoo.com msn.com ask.com w3.org Additional Information

The name of this threat was derived by selecting fragments of the domain 'trafficconverter.biz', a string found in Worm:Win32/Conficker.A:

(fic)(con)(er) => (con)(fic)(+k)(er) => conficker

Analysis by Jireh Sanico

Last update 15 February 2019

 

TOP