Win32/Conficker [Threat Name] go to Threat

Win32/Conficker.A [Threat Variant Name]

Available cleaner [Download Conficker Cleaner ]

Category worm
Size 62976 B
Detection created Nov 25, 2008
Signature database version 3638
Aliases Net-Worm.Win32.Kido.t (Kaspersky)
  W32.Downadup (Symantec)
  W32/Conficker.worm (McAfee)
Short description

Win32/Conficker.A is a worm that spreads by exploiting a vulnerability in Server Service . The file is run-time compressed using UPX .

Installation

When executed, the worm copies itself into the %system% folder using the following name:

  • %variable%.dll

A string with variable content is used instead of %variable% .


The library %variable%.dll is loaded and injected into the following process:

  • services.exe

The worm registers itself as a system service using the following name:

  • netsvcs

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%random service name%\­Parameters]
    • "ServiceDll" = "%system%\­%variable%.dll"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%random service name%]
    • "Image Path" = "%System Root%\­system32\­svchost.exe -k netsvcs"

A string with variable content is used instead of %random service name% .

Spreading

The worm starts a HTTP server on a random port.


It connects to remote machines to port TCP 445 in attempt to exploit the Server Service vulnerability.


If successful, the remote computer attempts to connect to the infected computer and download a copy of the worm .


This vulnerability is described in Microsoft Security Bulletin MS08-067 .

Other information

The worm will attempt to download several files from the Internet.


The files are then executed. The worm contains a list of (1) URLs.


The following services are disabled:

  • Windows Firewall

Please enable Javascript to ensure correct displaying of this content and refresh this page.