Win32/Conficker [Threat Name] go to Threat

Win32/Conficker.AQ [Threat Variant Name]

Available cleaner [Download Conficker Cleaner ]

Category worm
Size 119296 B
Detection created Apr 09, 2009
Signature database version 3996
Aliases Trojan-Dropper.Win32.Kido.o (Kaspersky)
  W32/Conficker.worm.dr (McAfee)
  WORM_DOWNAD.E (TrendMicro)
Short description

Win32/Conficker.AQ is a worm that spreads via network exploiting vulnerabilities of the operating system. It connects to remote machines in attempt to exploit the Server Service vulnerability. The file is run-time compressed using UPX .

Installation

When executed the worm drops in folder %system% the following file:

  • %variable%.tmp (4096 B)

A string with variable content is used instead of %variable% .


Installs the following system drivers:

  • %variable%.tmp (4096 B)

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Applets]
    • "ds" = %value%
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Applets]
    • "ds" = %value%

If the current system date and time matches certain conditions, worm deactivates some of its features.

Spreading

The worm starts a HTTP server on a random port. It connects to remote machines to port TCP 139, 445 in attempt to exploit the Server Service vulnerability.


This vulnerability is described in Microsoft Security Bulletin MS08-067 .


If successful, the remote computer attempts to connect to the infected computer and download a malware component.


It is a DLL library with the following extension:

  • .bmp
  • .gif
  • .jpeg
  • .png

When executed on the remote computer, the worm copies itself to any of the following locations:

  • %system%\­%variable%.dll
  • %program files%\­Internet Explorer\­%variable%.dll
  • %program files%\­Movie Maker\­%variable%.dll
  • %program files%\­Windows NT\­%variable%.dll
  • %appdata%\­%variable%.dll
  • %temp%\­%variable%.dll

A string with variable content is used instead of %variable% .


The worm loads and injects the %variable%.dll library into the following processes:

  • explorer.exe
  • services.exe
  • svchost.exe

The worm registers itself as a system service with a name combined from the following strings:

  • App
  • Audio
  • DM
  • ER
  • Event
  • help
  • Ias
  • Ir
  • Lanman
  • Net
  • Ntms
  • Ras
  • Remote
  • Sec
  • SR
  • Tapi
  • Trk
  • W32
  • win
  • Wmdm
  • Wmi
  • wsc
  • wuau
  • xml
  • access
  • agent
  • auto
  • logon
  • man
  • mgmt
  • mon
  • prov
  • serv
  • Server
  • Service
  • Srv
  • srv
  • Svc
  • svc
  • System
  • Time

The service Display Name consists of some of the following strings:

  • Boot
  • Center
  • Config
  • Driver
  • Helper
  • Image
  • Installer
  • Manager
  • Microsoft
  • Monitor
  • Network
  • Security
  • Server
  • Shell
  • Support
  • System
  • Task
  • Time
  • Universal
  • Update
  • Windows
  • Hardware
  • Control
  • Audit
  • Event
  • Notify
  • Backup
  • Trusted
  • Component
  • Framework
  • Management
  • Browser
  • Machine
  • Logon
  • Power
  • Storage
  • Discovery
  • Policy

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%random1%" = "rundll32.exe "%variable%.dll",%random2%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%random1%" = "rundll32.exe "%variable%.dll",%random2%"

%random1-2% represents a random text.


The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%random service name%\­Parameters]
    • "ServiceDll" = "%system%\­%variable%.dll"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%random service name%]
    • "Image Path" = "%System Root%\­system32\­svchost.exe -k netsvcs"
    • "DisplayName" = "%random service name%"
    • "Type" = 32
    • "Start" = 2
    • "ErrorControl" = 0
    • "ObjectName" = "LocalSystem"
    • "Description" = "%variable_name%"

The following Registry entries are deleted:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot]
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­explorer\­ShellServiceObjects\­{FD6905CE-952F-41F1-9A6F-135D9C6622CC}]
    • "wscsvc" = "%filepath%"
    • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows Defender" = "%filepath%"
Other information

The worm terminates processes with any of the following strings in the name:

  • autoruns
  • avenger
  • bd_rem
  • cfremo
  • confick
  • downad
  • dwndp
  • filemon
  • gmer
  • hotfix
  • kb890
  • kb958
  • kido
  • kill
  • klwk
  • mbsa.
  • mrt.
  • mrtstub
  • ms08
  • ms09
  • procexp
  • procmon
  • regmon
  • scct_
  • stinger
  • sysclean
  • tcpview
  • unlocker
  • wireshark

The following services are disabled:

  • Windows Security Center Service (wscsvc)
  • Windows Automatic Update Service (wuauserv)
  • Background Intelligent Transfer Service (BITS)
  • Windows Defender Service (WinDefend)
  • Windows Error Reporting Service (ERSvc)
  • Windows Error Reporting Service (WerSvc)

The worm connects to the following addresses:

  • aol.com
  • cnn.com
  • ebay.com
  • msn.com
  • myspace.com
  • 2ch.net
  • 4shared.com
  • 56.com
  • adobe.com
  • adsrevenue.net
  • adultadworld.com
  • adultfriendfinder.com
  • aim.com
  • alice.it
  • allegro.pl
  • ameba.jp
  • ameblo.jp
  • answers.com
  • apple.com
  • ask.com
  • aweber.com
  • awempire.com
  • badongo.com
  • badoo.com
  • baidu.com
  • bbc.co.uk
  • bebo.com
  • biglobe.ne.jp
  • bigpoint.com
  • blogfa.com
  • clicksor.com
  • co.cc
  • comcast.net
  • conduit.com
  • craigslist.org
  • cricinfo.com
  • dell.com
  • depositfiles.com
  • digg.com
  • disney.go.com
  • doubleclick.com
  • download.com
  • ebay.co.uk
  • ebay.com
  • ebay.de
  • ebay.it
  • espn.go.com
  • facebook.com
  • fastclick.com
  • fc2.com
  • files.wordpress.com
  • flickr.com
  • fotolog.net
  • foxnews.com
  • friendster.com
  • geocities.com
  • go.com
  • goo.ne.jp
  • google.com
  • googlesyndication.com
  • gougou.com
  • hi5.com
  • hyves.nl
  • icq.com
  • imageshack.us
  • imagevenue.com
  • imdb.com
  • imeem.com
  • kaixin001.com
  • kooora.com
  • linkbucks.com
  • linkedin.com
  • live.com
  • livedoor.com
  • livejasmin.com
  • livejournal.com
  • mail.ru
  • mapquest.com
  • mediafire.com
  • megaclick.com
  • megaporn.com
  • megaupload.com
  • metacafe.com
  • metroflog.com
  • miniclip.com
  • mininova.org
  • mixi.jp
  • msn.com
  • multiply.com
  • myspace.com
  • mywebsearch.com
  • narod.ru
  • naver.com
  • nba.com
  • netflix.com
  • netlog.com
  • nicovideo.jp
  • ning.com
  • odnoklassniki.ru
  • orange.fr
  • partypoker.com
  • paypopup.com
  • pconline.com.cn
  • pcpop.com
  • perfspot.com
  • photobucket.com
  • pogo.com
  • pornhub.com
  • rambler.ru
  • rapidshare.com
  • rediff.com
  • reference.com
  • sakura.ne.jp
  • seesaa.net
  • seznam.cz
  • skyrock.com
  • sonico.com
  • soso.com
  • sourceforge.net
  • studiverzeichnis.com
  • tagged.com
  • taringa.net
  • terra.com.br
  • thepiratebay.org
  • tianya.cn
  • tinypic.com
  • torrentz.com
  • tribalfusion.com
  • tube8.com
  • tudou.com
  • tuenti.com
  • typepad.com
  • ucoz.ru
  • veoh.com
  • verizon.net
  • vkontakte.ru
  • vnexpress.net
  • wikimedia.org
  • wikipedia.org
  • wordpress.com
  • xhamster.com
  • xiaonei.com
  • xnxx.com
  • xvideos.com
  • yahoo.co.jp
  • yahoo.com
  • yandex.ru
  • youporn.com
  • youtube.com
  • zedo.com
  • ziddu.com
  • zshare.net
  • http://checkip.dyndns.org
  • http://checkip.dyndns.com
  • http://www.myipaddress.com
  • http://www.findmyipaddress.com
  • http://www.ipaddressworld.com
  • http://www.findmyip.com
  • http://www.ipdragon.com
  • http://www.whatsmyipaddress.com

The worm blocks access to any domains that contain any of the following strings in their name:

  • activescan
  • adware
  • agnitum
  • ahnlab
  • anti-
  • antivir
  • arcabit
  • av-sc
  • avast
  • avgate
  • avira
  • bdtools
  • bothunter
  • castlecops
  • ccollomb
  • centralcommand
  • clamav
  • comodo
  • computerassociates
  • confick
  • coresecur
  • cpsecure
  • cyber-ta
  • defender
  • downad
  • doxpara
  • drweb
  • dslreports
  • emsisoft
  • enigma
  • esafe
  • eset
  • etrust
  • ewido
  • f-prot
  • f-secure
  • fortinet
  • free-av
  • freeav
  • fsecure
  • gdata
  • grisoft
  • hackerwatch
  • hacksoft
  • hauri
  • honey
  • ikarus
  • insecure.
  • iv.cs.uni
  • jotti
  • k7computing
  • kaspersky
  • kido
  • malware
  • mcafee
  • microsoft
  • mirage
  • mitre.
  • ms-mvp
  • msftncsi
  • msmvps
  • mtc.sri
  • ncircle
  • networkassociates
  • nmap.
  • nod32
  • norman
  • norton
  • onecare
  • panda
  • pctools
  • precisesecurity
  • prevx
  • ptsecurity
  • qualys
  • quickheal
  • removal
  • rising
  • rootkit
  • safety.live
  • secunia
  • securecomputing
  • secureworks
  • snort
  • sophos
  • spamhaus
  • spyware
  • staysafe
  • sunbelt
  • symantec
  • technet
  • tenablese
  • threat
  • threatexpert
  • trendmicro
  • trojan
  • virscan
  • virus
  • wilderssecurity
  • windowsupdate
  • avg.
  • avp.
  • bit9.
  • ca.
  • cert.
  • gmer.
  • kav.
  • llnw.
  • llnwd.
  • msdn.
  • msft.
  • nai.
  • sans.
  • vet.

The worm contains a list of blacklisted IP addresses.


The worm opens a random TCP, UDP port.


The worm receives data and instructions for further action from the Internet or another remote computer within its own network (botnet).


It uses its own P2P network for communication.

Please enable Javascript to ensure correct displaying of this content and refresh this page.