Worm:Win32/Conficker.E is a member of the
Win32/Conficker family and was proactively detected when first discovered as Worm:Win32/Conficker.gen!A. Conficker.E acts as an update mechansim for previous variants of Win32/Conficker. This variant deletes its own executable on May 3 2009.
Installation
Worm:Win32/Conficker.E consists of the following components:
.EXE executable component (detected as Worm:Win32/Conficker.E) - used to install the dropper DLL to other remote machines already infected with the .B, .C or .D Conficker variants.
.DLL payload component (detected as Worm:Win32/Conficker.E.dll) - used to perform most of the worm's payload (see Payload section below for additional detail).
Payload
Utilizes exploit (MS08-067) to install update on Conficker-infected machines
Win32/Conficker.E updates systems that are already infected by Conficker and as yet unpatched against a vulnerability in the Windows Server service (
srvsvc). The vulnerability is documented in
Microsoft Security Bulletin MS08-067. It checks if targets are already infected by the .B, .C, or .D Conficker variants by first checking the result from the NetpwPathCanonicalize API in '
netapi32.dll'. This variant only infects hosts that are already infected with one of these previous variants.
If the vulnerability is successfully exploited, the Conficker.E instructs the target computer to download the dropper DLL from the host computer via HTTP protocol using a TCP port (between 1024 and 9999) opened by the worm.
The dropper DLL then drops and loads the payload DLL. When the payload DLL (detected as
Worm:Win32/Conficker.E.dll) is loaded, it attempts to copy itself to the local machine using a filename that is constructed from a hash of the affected machine's computer name. The filename will appear as a string of 5-9 lowercase letters, with a .dll file extension - for example '
xhyngr.dll'.
The DLL attempts to copy itself to the following locations, in the following order:
System folder (typical path: C:\Windows\System32)
One of the following 4 folders under the %ProgramFiles% folder:
"Movie Maker"
"Internet Explorer"
"Windows Media Player"
"Windows NT"
%Application Data% folder (typical path: C:\Documents and Settings\Username\Application Data\ )
The %temp% folder
Once successfully copied to one of these locations, Worm:Win32/Conficker.E.dll does not attempt to copy itself further to the other locations.
Worm:Win32/Conficker.E.dll then modifies the following registry entries to ensure that it is loaded at each Windows start (for example):
Adds value: "<random alphabetic string>"
With data: "rundll32 "<malware file name> .dll",<random alphabetic string>"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "<random alphabetic string>"
With data: "rundll32 "<malware file name> .dll",<random alphabetic string>"
To subkey:HKCU\Software\Microsoft\Windows\CurrentVersion\Run
The DLL component - Win32/Conficker.E.dll - patches the NetpwPathCanonicalize API in the DLL NETAPI32.DLL to prevent the vulnerability from being further exploited by other remote agents.
Modifies System Settings - Patches TCP/IP Driver
Win32/Conficker.E patches the TCP/IP driver 'tcpip.sys' in memory to increase and maximize the number of connections allowed (connection limit) on the infected computer. The worm uses this method of patching to bypass Windows File Protection.
Terminates Services
Win32/Conficker.E.dll terminates several important system services, such as the following:
Windows Update Auto Update Service (wuauserv)
Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
Windows Defender (WinDefend)
Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
Windows Error Reporting Service (wersvc)
Terminates Processes
Win32/Conficker.E.dll polls the process list every one second for these strings and, if found, terminates the process:
autoruns - "Autoruns" program
avenger - kernel-mode security program
bd_rem - "bd_rem_tool_console.exe" & "bd_rem_tool_gui.exe" programs
cfremo - Enigma Software "cfremover.exe" program
confick - Presumably targeting Conficker removal tools
downad - Presumably targeting Conficker removal tools
dwndp - Symantec tool "fixdwndp.exe"
filemon - "File Monitor" program
gmer - rootkit detection program
hotfix - security update
kb890 - Microsoft KB article, includes MSRT
kb958 - Microsoft KB article, includes MS08-067
kido - taken from the name 'Kido', another 'Conficker' alias
kill - utility used to terminate other processes
klwk - Kaspersky program
mbsa. - "Microsoft Baseline Security Analyzer" program
mrt. - "Microsoft Malicious Software Removal Tool" program
mrtstub - "Microsoft Malicious Software Removal Tool" program
ms08 - Microsoft Security Updates released in 2008
ms09 - Microsoft Security Updates released in 2009
procexp - "Process Explorer" program
procmon - "Process Monitor" program
regmon - "Registry Monitor" program
scct_ - Sophos Conficker Cleanup tool
stinger - McAfee tool
sysclean - Trend Micro tool
tcpview - tool used to view TCP connection and traffic
unlocker - tool used to unlock locked files or folders
wireshark - network protocol analyzer tool
Blocks Access to Particular Web sites/IP Ranges
Win32/Conficker.E blocks access to domains in certain IP ranges. In addition, the worm hooks 'dnsapi.dll' to prevent access to Web sites containing the following strings in the URL:
activescan
adware
agnitum
ahnlab
anti-
antivir
arcabit
av-sc
avast
avgate
avira
bdtools
bothunter
castlecops
ccollomb
centralcommand
clamav
comodo
computerassociates
confick
coresecur
cpsecure
cyber-ta
defender
downad
doxpara
drweb
dslreports
emsisoft
enigma
esafe
eset
etrust
ewido
f-prot
f-secure
fortinet
free-av
freeav
fsecure
gdata
grisoft
hackerwatch
hacksoft
hauri
honey
ikarus
insecure.
iv.cs.uni
jotti
k7computing
kaspersky
kido
malware
mcafee
microsoft
mirage
mitre.
ms-mvp
msftncsi
msmvps
mtc.sri
ncircle
networkassociates
nmap.
nod32
norman
norton
onecare
panda
pctools
precisesecurity
prevx
ptsecurity
qualys
quickheal
removal
rising
rootkit
safety.live
secunia
securecomputing
secureworks
snort
sophos
spamhaus
spyware
staysafe
sunbelt
symantec
technet
tenablese
threat
threatexpert
trendmicro
trojan
virscan
virus
wilderssecurity
windowsupdate
Worm:Win32/Conficker.E.dll may cause browser time-outs when a user attempts to access Web sites with URLs containing any of the following strings:
avg.
avp.
bit9.
ca.
cert.
gmer.
kav.
llnw.
llnwd.
msdn.
msft.
nai.
sans.
vet.
Distributes and Receives Remote Commands Via Distributed P2P Network
Worm:Win32/Conficker.E can distribute and receive commands from other computers infected by particular Win32/Conficker variants via a built-in peer-to-peer (P2P) network. This mechanism could be used to distribute additional malware to and from infected machines.
To connect to other infected computers, Win32/Conficker.E opens four ports on each available network interface. It opens two TCP and two UDP ports. The port numbers of the first TCP and UDP ports are calculated based on the IP address of the network interface. The second TCP and UDP ports are calculated based on the IP address of the network interface as well as the current week, leading to this second set of ports to change on a weekly basis. In short, while the first set of ports is constant and remain open week after week, the second set changes weekly.
When computing for the current week, Win32/Conficker.E attempts to determine the time in GMT so that all port changes occur at the same time.
Both TCP listening ports behave in an identical fashion, as do both UDP listening ports. These ports are used by an infected computer to communicate with other computers also infected with Win32/Conficker.
Additional Information
Win32/Conficker.E executes a self-termination routine when the date is May 3 2009. The worm deletes its main executable component on this date. However the DLL payload component (detected as Worm:Win32/Conficker.E.dll) remains to continue participating in P2P communication among infected peers.
Win32/Conficker.E periodically checks for Internet connectivity by connecting to the following Web sites:
www.aol.com
www.cnn.com
www.ebay.com
www.msn.com
www.myspace.com
Win32/Conficker.E also periodically connects to one of the following sites (at random) to determine its external IP address:
checkip.dyndns.org
checkip.dyndns.com
www.myipaddress.com
www.findmyipaddress.com
www.ipaddressworld.com
www.findmyip.com
www.ipdragon.com
www.whatsmyipaddress.com
Analysis by Aaron Putnam
