|
Conficker worm info, description and Conficker removal instructions. The latest Conficker is known to generate 50,000 domain names using its own generator algorithm.
Conficker info
Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in October 2008. An early variant of the worm propagated through the Internet by exploiting a vulnerability in the network stack of Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, Windows 7 Beta, and Windows Server 2008 R2 Beta that was discovered earlier that month. The worm has been unusually difficult for network operators and law enforcement to counter because of its combined use of advanced malware techniques.
Conficker aliases
Worm:Win32/Conficker.A (Microsoft)
Crypt.AVL (AVG)
Mal/Conficker-A (Sophos)
Trojan.Win32.Pakes.lxf (F-Secure)
Trojan.Win32.Pakes.lxf (Kaspersky)
W32.Downadup (Symantec)
Worm:Win32/Conficker.B (Microsoft)
WORM_DOWNAD.A (Trend Micro)
How to remove Conficker worm Several Win32 conficker removal tools are now available but because the conficker worm also spreads through portable storage devices such as USB drives, disabling your PC’s autorun feature for external media is recommended. Here is how to remove conficker with a conficker remover. Conficker Removal Tool
Conficker characteristics and removal instructions
The risk assessment of this threat has been updated to Low-Profiled due to media attention at
A new variant of W32/Conficker.worm has been seen spreading. It copies itself to the following pathes:
* %Sysdir%\[Random].dll
* %Program Files%\Internet Explorer\[Random].dll
* %Program Files%\Movie Maker\[Random].dll
* %Program Files%\Windows Media Player\[Random].dll
* %Program Files%\Windows NT\[Random].dll
Conficker disables the following services:
* WerSvc
* ERSvc
* BITS
* wuauserv
* WinDefend
* wscsvc
It hooks the following functions in dnsapi.dll :
* Query_Main
* DnsQuery_W
* DnsQuery_UTF8
* DnsQuery_A
It hooks the following functions in ws2_32.dll:
* sendto
The worm deletes the following registry key to disable restarting in safe mode:
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
It deletes the following registry keys:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender
Conficker terminates the processes that contains the following strings in name:
* wireshark
* unlocker
* tcpview
* sysclean
* scct_
* regmon
* procmon
* procexp
* ms08-06
* mrtstub
* mrt.
* mbsa.
* klwk
* kido
* kb958
* kb890
* hotfix
* gmer
* filemon
* downad
* confick
* avenger
* autoruns
In order to block users access to security-related domains, prevents network access to any domains that contain the following strings:
* windowsupdate
* wilderssecurity
* virus
* virscan
* trojan
* trendmicro
* threatexpert
* threat
* technet
* symantec
* sunbelt
* spyware
* spamhaus
* sophos
* secureworks
* securecomputing
* safety.live
* rootkit
* rising
* removal
* quickheal
* ptsecurity
* prevx
* pctools
* panda
* onecare
* norton
* norman
* nod32
* networkassociates
* mtc.sri
* msmvps
* msftncsi
* mirage
* microsoft
* mcafee
* malware
* kaspersky
* k7computing
* jotti
* ikarus
* hauri
* hacksoft
* hackerwatch
* grisoft
* gdata
* freeav
* free-av
* fortinet
* f-secure
* f-prot
* ewido
* etrust
* eset
* esafe
* emsisoft
* dslreports
* drweb
* defender
* cyber-ta
* cpsecure
* conficker
* computerassociates
* comodo
* clamav
* centralcommand
* ccollomb
* castlecops
* bothunter
* avira
* avgate
* avast
* arcabit
* antivir
* anti-
* ahnlab
* agnitum
The latest Conficker is known to generate 50,000 domain names using its own generator algorithm.
The following suffixes are appended to any generated domains. It uses 116 different suffixes for example:
* com.ve
* com.uy
* com.ua
* com.tw
* com.tt
* com.tr
* com.sv
* com.py
* com.pt
* com.pr
* com.pe
* com.pa
* com.ni
* com.ng
* com.mx
* com.mt
* com.lc
* com.ki
* com.jm
* com.hn
* com.gt
* com.gl
* com.gh
* com.fj
* com.do
* com.co
* com.bs
* com.br
* com.bo
* com.ar
* com.ai
* com.ag
* co.za
* co.vi
* co.uk
* co.ug
* co.nz
* co.kr
* co.ke
* co.il
* co.id
* co.cr
----------------
When executed, the worm copies itself using a random name to the %Sysdir% folder.
(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)
It modifies the following registry key to create a randomly-named service on the affected syetem:
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\"ServiceDll" = "Path to worm"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs
Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer.
* hxxp://www.getmyip.org
* hxxp://getmyip.co.uk
* hxxp://checkip.dyndns.org
* hxxp://whatsmyipaddress.com
Attempts to download a malware file from the remote website: (Rogue Russian site is up but not serving file anymore)
* hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe
Starts a HTTP server on a random port on the infected machine to host a copy of the worm.
Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.
Later variants of w32/Conficker.worm are using scheduled tasks and Autorun.inf file to replicate on to non vulnerable systems or to reinfect previously infected systems after they have been cleaned.
 |
