Win32/Conficker [Threat Name] go to Threat

Win32/Conficker.AR [Threat Variant Name]

Available cleaner [Download Conficker Cleaner ]

Category worm
Size 84992 B
Detection created Jun 17, 2009
Signature database version 4164
Aliases Trojan-Downloader.Win32.Kido.a (Kaspersky)
  W32.Downadup.C (Symantec)
  W32/Conficker.worm.gen.c (McAfee)
Short description

Win32/Conficker.AR is a worm that repeatedly tries to connect to various web pages. It tries to download several files from the addresses. It can be controlled remotely.

Installation

When executed, the worm copies itself in some of the the following locations:

  • %system%\­%variable%.dll
  • %program files%\­Internet Explorer\­%variable%.dll
  • %program files%\­Movie Maker\­%variable%.dll
  • %program files%\­Windows NT\­%variable%.dll
  • %appdata%\­%variable%.dll
  • %temp%\­%variable%.dll

A string with variable content is used instead of %variable% .


The worm loads and injects the %variable%.dll library into the following processes:

  • explorer.exe
  • services.exe
  • svchost.exe

The worm registers itself as a system service with a name combined from the following strings:

  • App
  • Audio
  • DM
  • ER
  • Event
  • help
  • Ias
  • Ir
  • Lanman
  • Net
  • Ntms
  • Ras
  • Remote
  • Sec
  • SR
  • Tapi
  • Trk
  • W32
  • win
  • Wmdm
  • Wmi
  • wsc
  • wuau
  • xml
  • access
  • agent
  • auto
  • logon
  • man
  • mgmt
  • mon
  • prov
  • serv
  • Server
  • Service
  • Srv
  • srv
  • Svc
  • svc
  • System
  • Time

The service Display Name consists of some of the following strings:

  • 64
  • Adobe
  • Agent
  • App
  • Assemblies
  • assembly
  • Boot
  • Build
  • Calendar
  • Collaboration
  • Common
  • Components
  • Cursors
  • Debug
  • Defender
  • Definitions
  • Digital
  • Distribution
  • Documents
  • Downloaded
  • en
  • Explorer
  • Files
  • Fonts
  • Gallery
  • Games
  • Globalization
  • Google
  • Help
  • IME
  • inf
  • Installer
  • Intel
  • Inter
  • Internet
  • Java
  • Journal
  • Kernel
  • L2S
  • Live
  • Logs
  • Mail
  • Maker
  • Media
  • Microsoft
  • Mobile
  • Modem
  • Movie
  • MS
  • msdownld
  • NET
  • New
  • Office
  • Offline
  • Options
  • Packages
  • Pages
  • Patch
  • Performance
  • Photo
  • PLA
  • Player
  • Policy
  • Prefetch
  • Profiles
  • Program
  • Publish
  • Reference
  • Registered
  • registration
  • Reports
  • Resources
  • schemas
  • Security
  • Service
  • Setup
  • Shell
  • Software
  • Speech
  • System
  • Tasks
  • Temp
  • tmp
  • tracing
  • twain
  • US
  • Video
  • Visual
  • Web
  • winsxs
  • Works
  • Zx

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%random1%" = "rundll32.exe "%variable%.dll",%random2%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%random1%" = "rundll32.exe "%variable%.dll",%random2%"

%random1-2% represents a random text.


The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%random service name%\­Parameters]
    • "ServiceDll" = "%system%\­%variable%.dll"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%random service name%]
    • "Image Path" = "%System Root%\­system32\­svchost.exe -k netsvcs"
    • "DisplayName" = "%random service name%"
    • "Type" = 32
    • "Start" = 2
    • "ErrorControl" = 0
    • "ObjectName" = "LocalSystem"
    • "Description" = "%variable_name%"

The following Registry entries are deleted:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot]
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­explorer\­ShellServiceObjects\­{FD6905CE-952F-41F1-9A6F-135D9C6622CC}]
    • "wscsvc" = "%filepath%"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows Defender" = "%filepath%"
Other information

The worm terminates processes with any of the following strings in the name:

  • autoruns
  • avenger
  • confick
  • downad
  • filemon
  • gmer
  • hotfix
  • kb890
  • kb958
  • kido
  • klwk
  • mbsa.
  • mrt.
  • mrtstub
  • ms08-06
  • procexp
  • procmon
  • regmon
  • scct_
  • sysclean
  • tcpview
  • unlocker
  • wireshark

The following services are disabled:

  • Windows Security Center Service (wscsvc)
  • Windows Automatic Update Service (wuauserv)
  • Background Intelligent Transfer Service (BITS)
  • Windows Defender Service (WinDefend)
  • Windows Error Reporting Service (ERSvc)
  • Windows Error Reporting Service (WerSvc)

The worm connects to the following addresses:

  • 2ch.net
  • 4shared.com
  • 56.com
  • adobe.com
  • adsrevenue.net
  • adultadworld.com
  • adultfriendfinder.com
  • aim.com
  • alice.it
  • allegro.pl
  • ameba.jp
  • ameblo.jp
  • answers.com
  • apple.com
  • ask.com
  • aweber.com
  • awempire.com
  • badongo.com
  • badoo.com
  • baidu.com
  • bbc.co.uk
  • bebo.com
  • biglobe.ne.jp
  • bigpoint.com
  • blogfa.com
  • clicksor.com
  • co.cc
  • comcast.net
  • conduit.com
  • craigslist.org
  • cricinfo.com
  • dell.com
  • depositfiles.com
  • digg.com
  • disney.go.com
  • doubleclick.com
  • download.com
  • ebay.co.uk
  • ebay.com
  • ebay.de
  • ebay.it
  • espn.go.com
  • facebook.com
  • fastclick.com
  • fc2.com
  • files.wordpress.com
  • flickr.com
  • fotolog.net
  • foxnews.com
  • friendster.com
  • geocities.com
  • go.com
  • goo.ne.jp
  • google.com
  • googlesyndication.com
  • gougou.com
  • hi5.com
  • hyves.nl
  • icq.com
  • imageshack.us
  • imagevenue.com
  • imdb.com
  • imeem.com
  • kaixin001.com
  • kooora.com
  • linkbucks.com
  • linkedin.com
  • live.com
  • livedoor.com
  • livejasmin.com
  • livejournal.com
  • mail.ru
  • mapquest.com
  • mediafire.com
  • megaclick.com
  • megaporn.com
  • megaupload.com
  • metacafe.com
  • metroflog.com
  • miniclip.com
  • mininova.org
  • mixi.jp
  • msn.com
  • multiply.com
  • myspace.com
  • mywebsearch.com
  • narod.ru
  • naver.com
  • nba.com
  • netflix.com
  • netlog.com
  • nicovideo.jp
  • ning.com
  • odnoklassniki.ru
  • orange.fr
  • partypoker.com
  • paypopup.com
  • tagged.com
  • taringa.net
  • terra.com.br
  • thepiratebay.org
  • tianya.cn
  • tinypic.com
  • torrentz.com
  • tribalfusion.com
  • tube8.com
  • tudou.com
  • tuenti.com
  • typepad.com
  • ucoz.ru
  • veoh.com
  • verizon.net
  • vkontakte.ru
  • vnexpress.net
  • wikimedia.org
  • wikipedia.org
  • wordpress.com
  • xhamster.com
  • xiaonei.com
  • xnxx.com
  • xvideos.com
  • yahoo.co.jp
  • yahoo.com
  • pconline.com.cn
  • pcpop.com
  • perfspot.com
  • photobucket.com
  • pogo.com
  • pornhub.com
  • rambler.ru
  • rapidshare.com
  • rediff.com
  • reference.com
  • sakura.ne.jp
  • seesaa.net
  • seznam.cz
  • skyrock.com
  • sonico.com
  • soso.com
  • sourceforge.net
  • studiverzeichnis.com
  • yandex.ru
  • youporn.com
  • youtube.com
  • zedo.com
  • ziddu.com
  • zshare.net

The worm connects to the following servers to obtain the current date and time:

  • ask.com
  • baidu.com
  • facebook.com
  • google.com
  • imageshack.us
  • rapidshare.com
  • w3.org
  • yahoo.com

The worm blocks access to any domains that contain any of the following strings in their name:

  • agnitum
  • ahnlab
  • anti-
  • antivir
  • arcabit
  • avast
  • avgate
  • avira
  • bothunter
  • castlecops
  • ccollomb
  • centralcommand
  • clamav
  • comodo
  • computerassociates
  • conficker
  • cpsecure
  • cyber-ta
  • defender
  • downad
  • drweb
  • dslreports
  • emsisoft
  • esafe
  • eset
  • etrust
  • ewido
  • f-prot
  • f-secure
  • fortinet
  • free-av
  • freeav
  • gdata
  • grisoft
  • hackerwatch
  • hacksoft
  • hauri
  • ikarus
  • jotti
  • k7computing
  • kaspersky
  • kido
  • malware
  • mcafee
  • microsoft
  • mirage
  • msftncsi
  • msmvps
  • mtc.sri
  • networkassociates
  • nod32
  • norman
  • norton
  • onecare
  • panda
  • pctools
  • prevx
  • ptsecurity
  • quickheal
  • removal
  • rising
  • rootkit
  • safety.live
  • securecomputing
  • secureworks
  • sophos
  • spamhaus
  • spyware
  • sunbelt
  • symantec
  • technet
  • threat
  • threatexpert
  • trendmicro
  • trojan
  • virscan
  • virus
  • wilderssecurity
  • windowsupdate

The worm will attempt to download several files from the Internet.


The URL address is generated randomly.


The top-level domain is chosen from the following list:

  • .ac
  • .ae
  • .ag
  • .am
  • .as
  • .at
  • .be
  • .bo
  • .bz
  • .ca
  • .cd
  • .ch
  • .cl
  • .cn
  • .co.cr
  • .co.id
  • .co.il
  • .co.ke
  • .co.kr
  • .co.nz
  • .co.ug
  • .co.uk
  • .co.vi
  • .co.za
  • .com.ag
  • .com.ai
  • .com.ar
  • .com.bo
  • .com.br
  • .com.bs
  • .com.co
  • .com.do
  • .com.fj
  • .com.gh
  • .com.gl
  • .com.gt
  • .com.hn
  • .com.jm
  • .com.ki
  • .com.lc
  • .com.mt
  • .com.mx
  • .com.ng
  • .com.ni
  • .com.pa
  • .com.pe
  • .com.pr
  • .com.pt
  • .com.py
  • .com.sv
  • .com.tr
  • .com.tt
  • .com.tw
  • .com.ua
  • .com.uy
  • .com.ve
  • .cx
  • .cz
  • .dj
  • .dk
  • .dm
  • .ec
  • .es
  • .fm
  • .fr
  • .gd
  • .gr
  • .gs
  • .gy
  • .hk
  • .hn
  • .ht
  • .hu
  • .ie
  • .im
  • .in
  • .ir
  • .is
  • .kn
  • .kz
  • .la
  • .lc
  • .li
  • .lu
  • .lv
  • .ly
  • .md
  • .me
  • .mn
  • .ms
  • .mu
  • .mw
  • .my
  • .nf
  • .nl
  • .no
  • .pe
  • .pk
  • .pl
  • .ps
  • .ro
  • .ru
  • .sc
  • .sg
  • .sh
  • .sk
  • .su
  • .tc
  • .tj
  • .tl
  • .tn
  • .to
  • .tw
  • .us
  • .vc
  • .vn

The worm runs only encrypted and properly signed files.


The file is stored into the following folder:

  • %temp%

The following filename is used:

  • %variable%.tmp

A string with variable content is used instead of %variable% .


The worm contains a list of blacklisted IP addresses.


The worm opens a random TCP, UDP port.


The worm receives data and instructions for further action from the Internet or another remote computer within its own network (botnet).

Please enable Javascript to ensure correct displaying of this content and refresh this page.