This is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (svchost.exe). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.
Installation
This threat attempts to copy itself in the
Windows system folder as a hidden
DLL file using a random name. If the attempt fails, it may then attempt to copy itself into the following folders:
It creates the following registry entry to ensure that it is run whenever you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random string>"
With data: "rundll32.exe<system folder>\<malware file name>.dll,<malware parameters>"
It may also load itself as a service that is launched when the netsvcs group is loaded by the system file svchost.exe by adding the generated service to the default list of services found in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs.
The service name it uses under the netsvcs group is generated by randomly picking and combining two phrases from each of the following lists:
|
List 1:
- App
- Audio
- DM
- ER
- Event
- help
- Ias
- Ir
- Lanman
- Net
- Ntms
- Ras
- Remote
- Sec
- SR
- Tapi
- Trk
- W32
- win
- Wmdm
- Wmi
- wsc
- wuau
- xml
|
List 2:
- access
- agent
- auto
- logon
- man
- mgmt
- mon
- prov
- serv
- Server
- Service
- Srv
- srv
- Svc
- svc
- System
- Time
|
It can also load itself as a fake service by registering itself under the registry key HKLM\SYSTEM\CurrentControlSet\Services.
It can use a display name that is created by combining two of the following strings:
- Boot
- Center
- Config
- Driver
- Helper
- Image
- Installer
- Manager
- Microsoft
- Monitor
- Network
- Security
- Server
- Shell
- Support
- System
- Task
- Time
- Universal
- Update
- Windows
It may also combine random characters to create the display name.
Payload
Ends services
This worm ends several important system services, such as the following:
-
Windows Update Auto Update Service (wuauserv)
-
Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
-
Windows Defender (WinDefend)
-
Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
-
Windows Error Reporting Service (wersvc)
Deletes registry values
Win32/Conficker.D deletes registry values for Windows Defender, Windows Security Center (WSC) and the Windows safe mode services list.
-
Deleting this value prevents Windows Defender from launching at Windows start:
Deletes value: "Windows Defender"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
-
Deleting this value prevents WSC notifications or alerts from being displayed if the firewall or security programs are disabled (by the worm):
Deletes value: {FD6905CE-952F-41F1-9A6F-135D9C6622CC}
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects
-
Deleting this value removes the list of services that execute if Windows is started in safe mode:
Deletes value: SafeBoot
In subkey: HKLM\SYSTEM\CurrentControlSet\Control
Terminates processes
Win32/Conficker.D polls the process list every one second for these strings and, if found, ends them:
- autoruns - "Autoruns" program
- avenger - kernel-mode security program
- bd_rem - "bd_rem_tool_console.exe" & "bd_rem_tool_gui.exe" programs
- cfremo - Enigma Software "cfremover.exe" program
- confick - taken from the name "Conficker"
- downad - taken from the name '"Downadup" alias of Conficker
- filemon - "File Monitor" program
- gmer - rootkit detection program
- hotfix - security update
- kb890 - Microsoft KB article, includes MSRT
- kb958 - Microsoft KB article, includes MS08-067
- kido - taken from the name "Kido", another "Conficker" alias
- kill - utility used to end other processes
- klwk - Kaspersky program
- mbsa. - "Microsoft Baseline Security Analyzer" program
- mrt. - "Microsoft Malicious Software Removal Tool" program
- mrtstub - "Microsoft Malicious Software Removal Tool" program
- ms08-06 - Microsoft Security Update MS08-067
- procexp - "Process Explorer" program
- procmon - "Process Monitor" program
- regmon - "Registry Monitor" program
- scct_ - Sophos Conficker Cleanup tool
- stinger - McAfee tool
- sysclean - Trend Micro tool
- tcpview - tool used to view TCP connection and traffic
- unlocker - tool used to unlock locked files or folders
- wireshark - network protocol analyzer tool
Blocks access to web sites
Win32/Conficker.D hooks DNSAPI.DLL to prevent access to websites containing the following strings in the URL:
- activescan
- adware
- agnitum
- ahnlab
- anti-
- antivir
- arcabit
- avast
- avgate
- avira
- av-sc*
- bdtools*
- bothunter
- castlecops
- ccollomb
- centralcommand
- clamav
- comodo
- computerassociates
- conficker
- cpsecure
- cyber-ta
|
- defender
- downad
- drweb
- dslreports
- emsisoft
- esafe
- eset
- etrust
- ewido
- fortinet
- f-prot
- freeav
- free-av
- f-secure
- gdata
- grisoft
- hackerwatch
- hacksoft
- hauri
- ikarus
- jotti
- k7computing
|
- kaspersky
- kido
- malware
- mcafee
- microsoft
- mirage
- mitre*
- msftncsi
- ms-mvp*
- msmvps
- mtc.sri
- networkassociates
- nod32
- norman
- norton
- onecare
- panda
- pctools
- precisesecurity
- prevx
- ptsecurity
|
- quickheal
- removal
- rising
- rootkit
- safety.live
- securecomputing
- secureworks
- sophos
- spamhaus
- spyware
- sunbelt
- symantec
- technet
- threat
- threatexpert
- trendmicro
- trojan
- virscan
- virus
- wilderssecurity
- windowsupdate
|
Win32/Conficker.D may cause browser time-outs when you try to access websites with URLs containing any of the following strings:
- avg.
- avp.
- bit9.
- ca.
- cert.
- gmer.
- kav.
- llnw.
- llnwd.
- msdn.
- msft.
- nai.
- sans.
- vet.
Downloads files
Win32/Conficker.D obtains the current date/time from the following Web servers:
- ask.com
- baidu.com
- facebook.com
- google.com
- imageshack.us
- rapidshare.com
- w3.org
- yahoo.com
Once a day, Win32/Conficker.D may build one of 50,000 URLs to download files starting on April 1, 2009. The worm uses one of the following top-level domains from over 100 different countries, and only visits 500 of the generated URLs within a 24-hour period:
The generated domain name is first converted to decimal or "dot" notation, for example, aaovt.com may be converted to 192.168.16.0.
After a successful download from a generated URL, Win32/Conficker.D lays dormant for four days before resuming URL monitoring again.
Connects to other infected PCs via P2P network
Win32/Conficker.D can distribute and receive commands from other computers infected with Conficker.D via a built-in peer-to-peer (P2P) network. This mechanism could be used to distribute additional malware to and from infected machines.
To connect to other infected computers, Win32/Conficker.D opens four ports on each available network interface. It opens two TCP and two UDP ports. The port numbers of the first TCP and UDP ports are calculated based on the IP address of the network interface. The second TCP and UDP ports are calculated based on the IP address of the network interface as well as the current week, leading to this second set of ports to change on a weekly basis.
When calculating a port for the current week, Win32/Conficker.D attempts to determine the time in GMT so that all port changes occur at the same time.
Additional Information
The following are example SHA1 hash details for known Win32/Conficker.D versions:
Analysis by Vincent Tiu, Aaron Putnam, and Jireh Sanico
