Worm:Win32/Conficker.gen!B is a generic detection for a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives, network shares and weak administrator passwords. It disables several important system services and security products.
Installation
Worm:Win32/Conficker.gen!B attempts to copy itself in the Windows system folder as a hidden DLL file using a random name. If the attempt fails, it may then attempt to copy itself with the same parameters in the following folders:
%ProgramFiles%\Internet Explorer
%ProgramFiles%\Movie Maker
It creates the following registry entry to ensure that its dropped copy is run every time Windows starts:
Adds value: "<random string>"
With data: "rundll32.exe <system folder>\<malware file name>.dll,<malware parameters>"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
It may also load itself as a service that is launched when the netsvcs group is loaded by the system file svchost.exe.
It may also load itself as a fake service by registering itself under the following key:
HKLM\SYSTEM\CurrentControlSet\Services
It may use a display name that is created by combining two of the following strings:
Boot
Center
Config
Driver
Helper
Image
Installer
Manager
Microsoft
Monitor
Network
Security
Server
Shell
Support
System
Task
Time
Universal
Update
Windows
It may also combine random characters to create the display name.
Spreads Via...
Network Shares with Weak Passwords
Worm:Win32/Conficker.gen!B attempts to infect machines within the network.
It first attempts to drop a copy of itself in a target machine's ADMIN$ share using the credentials of the currently logged-on user.
If this method is unsuccessful, for example, the current user does not have the necessary rights, then it instead obtains a list of user accounts on the target machine. It then attempts to connect to the target machine using each user name and the following weak passwords:
123
1234
12345
123456
1234567
12345678
123456789
1234567890
123123
12321
123321
123abc
123qwe
123asd
1234abcd
1234qwer
1q2w3e
a1b2c3
admin
Admin
administrator
nimda
qwewq
qweewq
qwerty
qweasd
asdsa
asddsa
asdzxc
asdfgh
qweasdzxc
q1w2e3
qazwsx
qazwsxedc
zxcxz
zxccxz
zxcvb
zxcvbn
passwd
password
Password
login
Login
pass
mypass
mypassword
adminadmin
root
rootroot
test
testtest
temp
temptemp
foofoo
foobar
default
password1
password12
password123
admin1
admin12
admin123
pass1
pass12
pass123
root123
pw123
abc123
qwe123
test123
temp123
mypc123
home123
work123
boss123
love123
sample
example
internet
Internet
nopass
nopassword
nothing
ihavenopass
temporary
manager
business
oracle
lotus
database
backup
owner
computer
server
secret
super
share
superuser
supervisor
office
shadow
system
public
secure
security
desktop
changeme
codename
codeword
nobody
cluster
customer
exchange
explorer
campus
money
access
domain
letmein
letitbe
anything
unknown
monitor
windows
files
academia
account
student
freedom
forever
cookie
coffee
market
private
games
killer
controller
intranet
work
home
job
foo
web
file
sql
aaa
aaaa
aaaaa
qqq
qqqq
qqqqq
xxx
xxxx
xxxxx
zzz
zzzz
zzzzz
fuck
12
21
321
4321
54321
654321
7654321
87654321
987654321
0987654321
0
00
000
0000
00000
00000
0000000
00000000
1
11
111
1111
11111
111111
1111111
11111111
2
22
222
2222
22222
222222
2222222
22222222
3
33
333
3333
33333
333333
3333333
33333333
4
44
444
4444
44444
444444
4444444
44444444
5
55
555
5555
55555
555555
5555555
55555555
6
66
666
6666
66666
666666
6666666
66666666
7
77
777
7777
77777
777777
7777777
77777777
8
88
888
8888
88888
888888
8888888
88888888
9
99
999
9999
99999
999999
9999999
99999999
If Win32/Conficker.gen!B successfully accesses the target machine, for example, if a combination of any of the obtained user names and one of the above passwords allows write privileges to the machine, then it copies itself to an accessible admin share as ADMIN$\System32\<random letters>.dll.
Creates Remote Scheduled Job
After compromising a machine remotely, Win32/Conficker.gen!B creates a remote schedule job with the command “rundll32.exe <malware file name>.dll,<malware parameters>" to activate the copy, as shown in the images below:
Mapped and Removable Drives
Worm:Win32/Conficker.gen!B may drop a copy of itself in all mapped and removable drives using a random file name. The worm creates a folder in the root of these drives named 'RECYCLER' (in Windows XP and previous versions, the folder "RECYCLER" references the "Recycle Bin"). Next, the worm copies itself as the following:
<drive:>\RECYCLER\S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d\<random letters>.dll
Where %d is a randomly chosen letter. The worm also drops a corresponding autorun.inf file, which enables the worm copy to execute if the drive is accessed and Autoplay is enabled. This autorun.inf file is detected as Worm:Win32/Conficker.B!inf.
The image below illustrates how a user could potentially launch the worm when accessing an infected share:
Note that the language in the first option suggests the user could 'open folder to view files' however the option is under 'Install or run program', an indication that opening the folder will actually execute an application. Another hint that the action is to execute the worm is the text 'Publisher not specified'. The highlighted choice under 'General options' in the image above would allow a user to view the share and not execute the worm copy.
MS08-067 HTTP 'call back'
Worm:Win32/Conficker.gen!B spreads to systems that are not yet patched against a vulnerability in the Windows Server service (
SVCHOST.EXE). If the vulnerability is successfully exploited, the worm instructs the target computer to download a copy of the worm from the host computer via HTTP protocol using the random port between 1024 and 10000 opened by the worm. The vulnerability is documented in
Microsoft Security Bulletin MS08-067.
Payload
Patches NETAPI32.DLL in Memory
Win32/Conficker patches 'NETAPI32.DLL' in memory to prevent re-infection and further exploitation of the vulnerability addressed by Microsoft Security Bulletin
MS08-067.
Modifies System Settings
Worm:Win32/Conficker.gen!B changes system settings so that the user cannot view hidden files. It does this by modifying the following registry entry:
Adds value: "CheckedValue"
With data: "0"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
It also modifies the system's TCP settings to allow a large number of simultaneous connections, where 0x00FFFFFE is hexadecimal and equals 16,777,214 decimal value:
Adds value: "TcpNumConnections"
With data: "0x00FFFFFE"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
The worm drops a temp file to aid restarting the TCP/IP service for the modification to take effect. The dropped file is detected as Trojan:WinNT/Conficker.B.
Disables TCP/IP Tuning
Win32/Conficker.gen!B disables Windows Vista TCP/IP auto-tuning by executing the following command:
netsh interface tcp set global autotuning=disabled
Terminates and Disables Services
This worm terminates several important system services, such as the following:
Windows Security Center Service (wscsvc) – notifies users of security settings (e.g. Windows update, Firewall and AntiVirus)
Windows Update Auto Update Service (wuauserv)
Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
Windows Defender (WinDefend)
Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
Windows Error Reporting Service (wersvc)
Win32/Conficker.gen!B deletes the registry key for Windows Defender, disabling it from running when the system starts.
Deletes value: "Windows Defender"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Blocks Access to Security Web Sites
Win32/Conficker disables any process that has a module name containing any of the following strings from sending network traffic or data (note that most of these strings are related to antivirus and security software, thus effectively disabling the products from acquiring signature updates, and possibly preventing users from accessing websites with these strings in the URL):
virus
spyware
malware
rootkit
defender
microsoft
symantec
norton
mcafee
trendmicro
sophos
panda
etrust
networkassociates
computerassociates
f-secure
kaspersky
jotti
f-prot
nod32
eset
grisoft
drweb
centralcommand
ahnlab
esafe
avast
avira
quickheal
comodo
clamav
ewido
fortinet
gdata
hacksoft
hauri
ikarus
k7computing
norman
pctools
prevx
rising
securecomputing
sunbelt
emsisoft
arcabit
cpsecure
spamhaus
castlecops
threatexpert
wilderssecurity
windowsupdate
The worm also hooks DNSAPI.DLL to prevent accessing security Web sites.
Resets System Restore Point
Win32/Conficker.gen!B may reset the computer's system restore point, potentially defeating recovery using System Restore.
Checks for Internet Connectivity
Win32/Conficker.gen!B checks if the system has an Internet connection by attempting to connect to the following websites:
aol.com
cnn.com
ebay.com
msn.com
myspace.com
Downloads Arbitrary Files
Depending on the system date, Win32/Conficker.gen!B may build a URL to download files starting on January 1, 2009. The generated URL has a domain name that is based on the current system date. It uses one of the following top level domains:
.cc
.cn
.ws
.com
.net
.org
.info
.biz
For example, 'aaovt.com' or 'aasmlhzbpqe.com'.
The generated domain name is first converted to the dot notation, for example, 'aaovt.com' may be converted to '192.168.16.0'. This generated IP address is then used for the URL, according to the following pattern:
http://<pseudo-random generated IP>/search?q=%d
Some examples of the constructed URLs are as follows:
aaovt.com
aasmlhzbpqe.com
addgv.com
ajsxarj.org
apwzjq.ws
aradfkyqv.org
arztiwbeh.cc
baixumxhmks.ws
bfwtjrto.org
bfwvzxd.info
bmaeqlhulq.cc
byiiureq.cn
cbizghsq.cc
cbkenfa.org
ciabjhmosz.cc
cruutiitz.com
ctnlczp.org
ctohyudfbm.cn
dcopyoojw.com
djdgnrbacwt.ws
dmwemynbrmz.org
dofmrfqvis.cn
doxkknuq.org
dozjritemv.info
dyjsialozl.ws
eaieijqcqlv.org
eewxsvtkyn.net
eidqdorgmbr.net
eiqzepxacyb.cn
ejdmzbzzaos.biz
ejmxd.com
ejzrcqqw.net
ekusgwp.cc
eprhdsudnnh.biz
evmwgi.ws
falru.net
fctkztzhyr.org
fdkjan.net
fhfntt.org
fhspuip.biz
fjpzgrf.net
fkzdr.cn
ftjggny.com
fuimrawg.info
ghdokt.cn
glbmkbmdax.biz
gmhkdp.org
gocpopuklm.org
grwemw.biz
gtzaick.cc
gxzlgsoa.info
gypqfjho.info
hduyjkrouop.info
hfgxlzjbfka.biz
hkgzoi.com
hliteqmjyb.net
hmdtv.ws
hoyolhmnzbs.net
hprfux.cc
hqbttlqr.org
hueminaii.org
hvogkfiq.info
ifylodtv.ws
iivsjpfumd.ws
ilksbuv.cn
imuez.biz
izxvu.biz
jaumgubte.biz
jhbeiiizlfk.cn
jrdzx.cc
jshkqnnkeao.biz
judhei.com
jxfiysai.cc
jzoowlbehqn.info
karhhse.com
kbyjkjkbb.info
kjsxokxg.org
krudjhvk.org
kuiwtbfa.org
lauowjef.cn
lhirjymcod.net
liugwg.net
lksvlouw.ws
llgkuclk.info
lnpsesbcm.cn
lssvxqkqfmf.org
lygskbx.cc
mafwkeat.cn
mgqrrsxhnj.com
mhklpsbuh.cc
mknuzwq.cc
mqjkzbov.net
myfhc.com
navjrj.org
nbpykcdsoms.com
ncbeaucjxd.org
npfxmztnaw.cn
nuiptipwjj.cc
nvpmfnlsh.ws
oagwongs.ws
odvsz.net
okkpuzqck.ws
oqolfrjq.cn
orduhippw.cn
orpngykld.com
orxfq.ws
othobnrx.org
otnqqaclsgx.info
otukeesevg.biz
pbfhhhvzkp.cc
pbpigz.cn
pcnpxbg.cc
pdfrbmxh.biz
pfdthjxs.cc
phaems.cc
phetxwmjqsj.cc
pmanbkyshj.ws
pnjlx.cc
ppzwqcdc.cc
psabcdq.cc
ptdlwsi.cn
pvowgkgjmu.biz
pwsjbdkdewv.info
qbuic.com
qdteltj.org
qeotxrp.com
qfeqsagbjs.biz
qfhqgciz.org
qfogch.com
qijztpxaxk.cn
qlqrgqordj.ws
qpiivu.cn
qpuowsw.cc
qqbbg.cc
qrrzna.net
qvrgznvvwz.ws
qwdervbq.org
qwnydyb.cc
qzbpqbhzmp.com
rkfdx.org
rpphv.org
rskvraofl.info
ryruatsot.biz
sdkhznqj.info
sezpo.org
sfozmwybm.com
skwmyjq.org
solmpem.com
sqmsrvnjits.cc
stlgegbye.net
syryb.org
tdwrkv.ws
tfpazwas.cc
tigeseo.org
tjyhrcfxuc.cn
tkbyxr.ws
tlmncy.cn
tmlwmvv.ws
tnerivsvs.net
tomxoa.org
trpkeyqapp.net
tyjtkayz.com
uazlwwiv.org
ucgqvyjgpk.cn
uixvflbyoyi.biz
ujawdcoqgs.org
upxva.net
uuvjh.biz
uzugvbnvs.cn
vgmkhtux.ws
vjllpcucnp.cn
vkgxgxto.com
vwiualt.com
waxggypgu.org
wccckyfrtf.net
wfdnvlrcb.org
whjworuc.com
wmiwxt.biz
wohms.biz
wqqfbutswyf.info
wsdlzmpbwhj.net
xiclytmeger.cc
xkjdzqbxg.cn
xldbmaztfu.biz
xlwcv.cn
xqbovbdzjz.info
xwbubjmhinr.info
yfpdcquil.info
yfybk.ws
yhrpqjhp.biz
yoblqeruib.org
yoyze.cc
yshpve.cc
ysrixiwyd.com
ytfvksowgul.org
ywsrtetv.org
yzymygez.biz
zcwjkxynr.com
zfgufbxi.net
zkimm.info
zmoeuxuh.ws
zokxy.net
zqrsbqzhh.cc
zttykt.info
zutykstmrxq.ws
It checks the system date if it is January 1, 2009 or later. It also checks the following websites for the date, presumably for verification:
baidu.com
google.com
yahoo.com
msn.com
ask.com
w3.org
Additional Information
The name of this threat was derived by selecting fragments of the domain 'trafficconverter.biz', a string found in Worm:Win32/Conficker.A:
(fic)(con)(er) => (con)(fic)(+k)(er) => conficker
Analysis by Jireh Sanico
