For a detailed overview of the Conficker threat family, see the description for Win32/Conficker.
Installation
Worm:Win32/Conficker.gen!E attempts to copy itself to the Windows system folder as a hidden DLL file using a random name. If the attempt fails, it may then attempt to copy itself with the same parameters in the following folders:
It creates the following registry entry to ensure that it runs each time you start Windows:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random string>"
With data: "rundll32.exe <system folder>\<malware file name>.dll,<malware parameters>"
It may also load itself as a service that is launched when the netsvcs group is loaded by the system file svchost.exe to ensure that it runs each time you start your computer.
Worm:Win32/Conficker.gen!E may also load itself as a fake service by registering itself under the following key:
HKLM\SYSTEM\CurrentControlSet\Services
It may use a display name that is created by combining two of the following strings:
- Boot
- Center
- Config
- Driver
- Helper
- Image
- Installer
- Manager
- Microsoft
- Monitor
- Network
- Security
- Server
- Shell
- Support
- System
- Task
- Time
- Universal
- Update
- Windows
It may also combine random characters to create the display name.
Spreads via...
Network shares with weak passwords
Worm:Win32/Conficker.gen!E attempts to infect computers within the network.
It first attempts to drop a copy of itself in a target computer's ADMIN share using the credentials of the currently logged-on user.
If this method is unsuccessful, for example, if the current user does not have the necessary rights, then instead the worm obtains a list of user accounts on the target computer. It then attempts to connect to the target computer using each user name and the following weak passwords:
0 00 000 0000 00000 00000 0000000 00000000 0987654321 1 11 111 1111 11111 111111 1111111 11111111 12 123 123123 12321 123321 1234 12345 123456 1234567 12345678 123456789 1234567890 1234abcd 1234qwer 123abc 123asd 123qwe 1q2w3e 2 21 22 222 2222 22222 222222 2222222 22222222 3 321 33 333 3333 33333 333333 3333333 33333333 4 4321 44 444 4444 44444 444444 4444444 44444444 5 54321 55 555 5555 55555 555555 5555555 55555555 6 654321 66 666 6666 66666 666666 6666666 66666666 7 7654321 77
|
777 7777 77777 777777 7777777 77777777 8 87654321 88 888 8888 88888 888888 8888888 88888888 9 987654321 99 999 9999 99999 999999 9999999 99999999 a1b2c3 aaa aaaa aaaaa abc123 academia access account admin Admin admin1 admin12 admin123 adminadmin administrator anything asddsa asdfgh asdsa asdzxc backup boss123 business campus changeme cluster codename codeword coffee computer controller cookie customer database default desktop domain example exchange explorer file files foo foobar foofoo forever freedom fuck games home home123 ihavenopass internet Internet intranet job killer letitbe
|
letmein login Login lotus love123 manager market money monitor mypass mypassword mypc123 nimda nobody nopass nopassword nothing office oracle owner pass pass1 pass12 pass123 passwd Password password password1 password12 password123 private public pw123 q1w2e3 qazwsx qazwsxedc qqq qqqq qqqqq qwe123 qweasd qweasdzxc qweewq qwerty qwewq root root123 rootroot sample secret secure security server shadow share sql student super superuser supervisor system temp temp123 temporary temptemp test test123 testtest unknown web windows work work123 xxx xxxx xxxxx zxccxz zxcvb zxcvbn zxcxz zzz zzzz zzzzz |
If Win32/Conficker.gen!E successfully accesses the target computer, for example, if a combination of any of the obtained user names and one of the above passwords allows write privileges to the machine, then it copies itself to an accessible admin share as ADMIN$\System32\<random letters>.dll.
Creates remote scheduled job
After compromising a computer remotely, Win32/Conficker.gen!E creates a remote schedule job with the command “rundll32.exe <malware file name>.dll,<malware parameters>" to activate the copy, as shown in the images below:
Mapped and removable drives
Worm:Win32/Conficker.gen!E may drop a copy of itself in all mapped and removable drives using a random file name. The worm creates a folder in the root of these drives named 'RECYCLER' (in Windows XP and previous versions, the folder "RECYCLER" references the "Recycle Bin"). Next, the worm copies itself as the following:
<drive:>\RECYCLER\S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d\<random letters>.dll
Where %d is a randomly-chosen letter. The worm also drops a corresponding autorun.inf file, which enables the worm copy to execute if the drive is accessed and Autorun is enabled. This autorun.inf file is detected as Worm:Win32/Conficker.B!inf.
The image below shows an infected folder, that could potentially launch the worm when accessing an infected share:
Note that the language in the first option suggests the user could 'open folder to view files' however the option is under 'Install or run program', an indication that opening the folder will actually execute an application. Another hint that the action is to execute the worm is the text 'Publisher not specified'. The highlighted choice under 'General options' in the image above would allow a user to view the share and not execute the worm copy.
MS08-067 HTTP 'call back'
Worm:Win32/Conficker.gen!E spreads to computers that are not yet patched against a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, the worm instructs the target computer to download a copy of the worm from the host computer via HTTP protocol using the random port between 1024 and 10000 opened by the worm. The vulnerability is documented in Microsoft Security Bulletin MS08-067.
Payload
Modifies system files
Win32/Conficker modifies the file 'NETAPI32.DLL' in memory to prevent re-infection and further exploitation of the vulnerability addressed by Microsoft Security Bulletin MS08-067.
Modifies system settings
Worm:Win32/Conficker.gen!E changes your computer's settings so that you cannot view hidden files. It does this by modifying the following registry entry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
Sets value: "CheckedValue"
With data: "0"
It also modifies your computer's TCP settings to allow a large number of simultaneous connections, where 0x00FFFFFE is hexadecimal and equals 16,777,214 decimal value:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Sets value: "TcpNumConnections"
With data: "0x00FFFFFE"
The worm drops a .TMP file to aid restarting the TCP/IP service for the modification to take effect. The dropped file is detected as Trojan:WinNT/Conficker.B.
Disables TCP/IP Tuning
Win32/Conficker.gen!E disables Windows Vista TCP/IP auto-tuning in Windows Vista, which may make it easier for the malware to open a channel on your computer, by running the following command:
netsh interface tcp set global auto-tuning=disabled
Stops services
This worm stops several important system services, such as the following:
-
Windows Security Center Service (wscsvc) – this notifies you of your security settings (for example, Windows update, Firewall and antivirus settings)
-
Windows Update Auto Update Service (wuauserv)
-
Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
-
Windows Defender (WinDefend)
-
Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
-
Windows Error Reporting Service (wersvc)
Win32/Conficker.gen!E deletes the following registry key for Windows Defender, disabling it from running when the computer starts:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Deletes value: "Windows Defender"
Blocks access to security websites
Win32/Conficker disables any process from sending network traffic or data that has a module name containing any of the following strings (note that most of these strings are related to antivirus and security software, thus effectively disabling the products from getting signature updates, and possibly preventing users from accessing websites with these strings in the URL):
ahnlab
arcabit
avast
avira
castlecops
centralcommand
clamav
comodo
computerassociates
cpsecure
defender
drweb
emsisoft
esafe
eset
etrust
ewido
f-prot
f-secure
fortinet
gdata
grisoft
hacksoft
hauri
ikarus
jotti
k7computing
kaspersky
malware
mcafee
microsoft
networkassociates
nod32
norman
norton
panda
pctools
prevx
quickheal
rising
rootkit
securecomputing
sophos
spamhaus
spyware
sunbelt
symantec
threatexpert
trendmicro
virus
wilderssecurity
windowsupdate
The worm also hooks DNSAPI.DLL to prevent access to security-related websites.
Resets system restore point
Win32/Conficker.gen!E may reset the computer's system restore point, potentially preventing recovery using System Restore.
Checks for Internet connectivity
Win32/Conficker.gen!E checks if the computer is connects to the Internet by attempting to connect to the following websites:
-
aol.com
-
cnn.com
-
ebay.com
-
msn.com
-
myspace.com
Downloads arbitrary files
Depending on the date set on your computer, Win32/Conficker.gen!E may build a URL to download files starting on January 1, 2009. The generated URL has a domain name that is based on the current computer date. It uses one of the following top level domains:
- .biz
- .cc
- .cn
- .com
- .info
- .net
- .org
- .ws
The generated domain name is first converted to dot notation, for example, 'aaovt.com' then converted to an IP address such as '192.168.16.0'. This generated IP address is then used for the URL, according to the following pattern:
http://<pseudo-random generated IP>/search?q=%d
Some examples of the constructed URLs are as follows:
aaovt.com aasmlhzbpqe.com addgv.com ajsxarj.org apwzjq.ws aradfkyqv.org arztiwbeh.cc baixumxhmks.ws bfwtjrto.org bfwvzxd.info bmaeqlhulq.cc byiiureq.cn cbizghsq.cc cbkenfa.org ciabjhmosz.cc cruutiitz.com ctnlczp.org ctohyudfbm.cn dcopyoojw.com djdgnrbacwt.ws dmwemynbrmz.org dofmrfqvis.cn doxkknuq.org dozjritemv.info dyjsialozl.ws eaieijqcqlv.org eewxsvtkyn.net eidqdorgmbr.net eiqzepxacyb.cn ejdmzbzzaos.biz ejmxd.com ejzrcqqw.net ekusgwp.cc eprhdsudnnh.biz evmwgi.ws falru.net fctkztzhyr.org fdkjan.net fhfntt.org fhspuip.biz fjpzgrf.net fkzdr.cn ftjggny.com fuimrawg.info ghdokt.cn glbmkbmdax.biz gmhkdp.org gocpopuklm.org grwemw.biz gtzaick.cc gxzlgsoa.info gypqfjho.info hduyjkrouop.info hfgxlzjbfka.biz hkgzoi.com hliteqmjyb.net hmdtv.ws hoyolhmnzbs.net hprfux.cc hqbttlqr.org hueminaii.org hvogkfiq.info ifylodtv.ws iivsjpfumd.ws ilksbuv.cn imuez.biz izxvu.biz jaumgubte.biz jhbeiiizlfk.cn jrdzx.cc jshkqnnkeao.biz judhei.com jxfiysai.cc jzoowlbehqn.info karhhse.com kbyjkjkbb.info kjsxokxg.org krudjhvk.org kuiwtbfa.org lauowjef.cn lhirjymcod.net liugwg.net lksvlouw.ws llgkuclk.info lnpsesbcm.cn lssvxqkqfmf.org lygskbx.cc mafwkeat.cn mgqrrsxhnj.com mhklpsbuh.cc mknuzwq.cc mqjkzbov.net myfhc.com navjrj.org nbpykcdsoms.com ncbeaucjxd.org npfxmztnaw.cn nuiptipwjj.cc nvpmfnlsh.ws oagwongs.ws odvsz.net okkpuzqck.ws oqolfrjq.cn |
orduhippw.cn orpngykld.com orxfq.ws othobnrx.org otnqqaclsgx.info otukeesevg.biz pbfhhhvzkp.cc pbpigz.cn pcnpxbg.cc pdfrbmxh.biz pfdthjxs.cc phaems.cc phetxwmjqsj.cc pmanbkyshj.ws pnjlx.cc ppzwqcdc.cc psabcdq.cc ptdlwsi.cn pvowgkgjmu.biz pwsjbdkdewv.info qbuic.com qdteltj.org qeotxrp.com qfeqsagbjs.biz qfhqgciz.org qfogch.com qijztpxaxk.cn qlqrgqordj.ws qpiivu.cn qpuowsw.cc qqbbg.cc qrrzna.net qvrgznvvwz.ws qwdervbq.org qwnydyb.cc qzbpqbhzmp.com rkfdx.org rpphv.org rskvraofl.info ryruatsot.biz sdkhznqj.info sezpo.org sfozmwybm.com skwmyjq.org solmpem.com sqmsrvnjits.cc stlgegbye.net syryb.org tdwrkv.ws tfpazwas.cc tigeseo.org tjyhrcfxuc.cn tkbyxr.ws tlmncy.cn tmlwmvv.ws tnerivsvs.net tomxoa.org trpkeyqapp.net tyjtkayz.com uazlwwiv.org ucgqvyjgpk.cn uixvflbyoyi.biz ujawdcoqgs.org upxva.net uuvjh.biz uzugvbnvs.cn vgmkhtux.ws vjllpcucnp.cn vkgxgxto.com vwiualt.com waxggypgu.org wccckyfrtf.net wfdnvlrcb.org whjworuc.com wmiwxt.biz wohms.biz wqqfbutswyf.info wsdlzmpbwhj.net xiclytmeger.cc xkjdzqbxg.cn xldbmaztfu.biz xlwcv.cn xqbovbdzjz.info xwbubjmhinr.info yfpdcquil.info yfybk.ws yhrpqjhp.biz yoblqeruib.org yoyze.cc yshpve.cc ysrixiwyd.com ytfvksowgul.org ywsrtetv.org yzymygez.biz zcwjkxynr.com zfgufbxi.net zkimm.info zmoeuxuh.ws zokxy.net zqrsbqzhh.cc zttykt.info zutykstmrxq.ws |
It checks your computer's date to see if it's January 1, 2009 or later, and also checks the following websites for the date, presumably for verification; if it determines it's later than January 1, 2009, the malware downloads arbitrary files:
- baidu.com
- google.com
- msn.com
- w3.org
- yahoo.com
Additional information
The name of this threat was derived by selecting fragments of the domain 'trafficconverter.biz', a string found in Worm:Win32/Conficker.A:
(fic)(con)(er) => (con)(fic)(+k)(er) => conficker
Analysis by Tim Liu & Jireh Sanico