Win32/Conficker.D is a variant of
Win32/Conficker. Conficker.D infects the local computer, terminates services, blocks access to numerous security related Web sites and downloads arbitrary code. Conficker.D can relay command instructions to other Conficker.D infected computers via built-in peer-to-peer (P2P) communication. This variant does not spread to removable drives or shared folders across a network (as with previous variants). Conficker.D is installed by previous variants of Win32/Conficker.
Installation
Win32/Conficker.D may be installed by other variants of Win32/Conficker in the Windows system folder as a hidden DLL file using a random name. If the attempt fails, it may then attempt to copy itself with the same parameters in the following folders:
%ProgramFiles%\Internet Explorer
%ProgramFiles%\Movie Maker
It creates the following registry entry to ensure that its dropped copy is run every time Windows starts:
Adds value: "<random string>"
With data: "rundll32.exe <system folder>\<malware file name>.dll,<malware parameters>"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "<random string>"
With data: "rundll32.exe <system folder>\<malware file name>.dll,<malware parameters>"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
It may also load itself as a service that is launched when the netsvcs group is loaded by the system file svchost.exe by adding the generated service to the default list of services found in:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs
The service name it uses under the netsvcs group is generated by randomly picking and concatenating an item from List1 and another from List2 below:
List1:
App
Audio
DM
ER
Event
help
Ias
Ir
Lanman
Net
Ntms
Ras
Remote
Sec
SR
Tapi
Trk
W32
win
Wmdm
Wmi
wsc
wuau
xml
List2:
access
agent
auto
logon
man
mgmt
mon
prov
serv
Server
Service
Srv
srv
Svc
svc
System
Time
It may also load itself as a fake service by registering itself under the following key:
HKLM\SYSTEM\CurrentControlSet\Services
It may use a display name that is created by combining any two of the following strings:
Boot
Center
Config
Driver
Helper
Image
Installer
Manager
Microsoft
Monitor
Network
Security
Server
Shell
Support
System
Task
Time
Universal
Update
Windows
It may also combine random characters to create the display name.
Payload
Terminates Services
This worm terminates several important system services, such as the following:
-
Windows Update Auto Update Service (wuauserv)
-
Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
-
Windows Defender (WinDefend)
-
Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
-
Windows Error Reporting Service (wersvc)
Deletes Registry Values
Win32/Conficker.D deletes registry values for Windows Defender, Windows Security Center (WSC) and the Windows safe mode services list.
-
Deleting this value prevents Windows Defender from launching at Windows start:
Deletes value: "Windows Defender"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
-
Deleting this value prevents WSC notifications or alerts from being displayed if the firewall or security programs are disabled (by the worm):
Deletes value: {FD6905CE-952F-41F1-9A6F-135D9C6622CC}
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects
-
Deleting this value removes the list of services that execute if Windows is started in safe mode:
Deletes value: SafeBoot
In subkey: HKLM\SYSTEM\CurrentControlSet\Control
Terminates Processes
Win32/Conficker.D polls the process list every one second for these strings and, if found, terminates them - note: for "*", see Additional Information section:
autoruns - "Autoruns" program
avenger - kernel-mode security program
* bd_rem - "bd_rem_tool_console.exe" & "bd_rem_tool_gui.exe" programs
* cfremo - Enigma Software "cfremover.exe" program
confick - taken from the name 'Conficker'
downad - taken from the name 'Downadup' alias 'Conficker'
filemon - "File Monitor" program
gmer - rootkit detection program
hotfix - security update
kb890 - Microsoft KB article, includes MSRT
kb958 - Microsoft KB article, includes MS08-067
kido - taken from the name 'Kido', another 'Conficker' alias
* kill - utility used to terminate other processes
klwk - Kaspersky program
mbsa. - "Microsoft Baseline Security Analyzer" program
mrt. - "Microsoft Malicious Software Removal Tool" program
mrtstub - "Microsoft Malicious Software Removal Tool" program
ms08-06 - Microsoft Security Update MS08-067
procexp - "Process Explorer" program
procmon - "Process Monitor" program
regmon - "Registry Monitor" program
scct_ - Sophos Conficker Cleanup tool
* stinger - McAfee tool
sysclean - Trend Micro tool
tcpview - tool used to view TCP connection and traffic
unlocker - tool used to unlock locked files or folders
wireshark - network protocol analyzer tool
Blocks Access to Web Sites
Win32/Conficker.D hooks DNSAPI.DLL to prevent access to Web sites containing the following strings in the URL - note: for "*", see Additional Information section:
* activescan
* adware
agnitum
ahnlab
anti-
antivir
arcabit
* av-sc
avast
avgate
avira
* bdtools
bothunter
castlecops
ccollomb
centralcommand
clamav
comodo
computerassociates
conficker
cpsecure
cyber-ta
defender
downad
drweb
dslreports
emsisoft
esafe
eset
etrust
ewido
f-prot
f-secure
fortinet
free-av
freeav
gdata
grisoft
hackerwatch
hacksoft
hauri
ikarus
jotti
k7computing
kaspersky
kido
malware
mcafee
microsoft
mirage
* mitre.
* ms-mvp
msftncsi
msmvps
mtc.sri
networkassociates
nod32
norman
norton
onecare
panda
pctools
* precisesecurity
prevx
ptsecurity
quickheal
removal
rising
rootkit
safety.live
securecomputing
secureworks
sophos
spamhaus
spyware
sunbelt
symantec
technet
threat
threatexpert
trendmicro
trojan
virscan
virus
wilderssecurity
windowsupdate
Win32/Conficker.D may cause browser time-outs when a user attempts to access Web sites with URLs containing any of the following strings:
avg.
avp.
bit9.
ca.
cert.
gmer.
kav.
llnw.
llnwd.
msdn.
msft.
nai.
sans.
vet.
Downloads Arbitrary Files
Win32/Conficker.D obtains the current date/time from the following Web servers:
baidu.com
google.com
yahoo.com
ask.com
w3.org
facebook.com
imageshack.us
rapidshare.com
Once a day, Win32/Conficker.D may build one of 50,000 URLs to download files starting on April 1, 2009. The worm uses one of the following top level domains from over 100 different countries, and only visits 500 of the generated URLs within a 24-hour period:
.ac
.ae
.ag
.am
.as
.at
.be
.bo
.bz
.ca
.cd
.ch
.cl
.cn
.co.cr
.co.id
.co.il
.co.ke
.co.kr
.co.nz
.co.ug
.co.uk
.co.vi
.co.za
.com.ag
.com.ai
.com.ar
.com.bo
.com.br
.com.bs
.com.co
.com.do
.com.fj
.com.gh
.com.gl
.com.gt
.com.hn
.com.jm
.com.ki
.com.lc
.com.mt
.com.mx
.com.ng
.com.ni
.com.pa
.com.pe
.com.pr
.com.pt
.com.py
.com.sv
.com.tr
.com.tt
.com.tw
.com.ua
.com.uy
.com.ve
.cx
.cz
.dj
.dk
.dm
.ec
.es
.fm
.fr
.gd
.gr
.gs
.gy
.hk
.hn
.ht
.hu
.ie
.im
.in
.ir
.is
.kn
.kz
.la
.lc
.li
.lu
.lv
.ly
.md
.me
.mn
.ms
.mu
.mw
.my
.nf
.nl
.no
.pe
.pk
.pl
.ps
.ro
.ru
.sc
.sg
.sh
.sk
.su
.tc
.tj
.tl
.tn
.to
.tw
.us
.vc
.vn
The generated domain name is first converted to the dot notation, for example, 'aaovt.com' may be converted to '192.168.16.0'. This generated IP address is then used for the URL, according to the following pattern:
http://<pseudo-random
generated IP>
After a successful download/execution from a generated URL, Win32/Conficker.D lays dormant for four days before resuming URL monitoring again.
Connects to Other Infected Computers via P2P Network
Win32/Conficker.D can distribute and receive commands from other computers infected with Conficker.D via a built-in peer-to-peer (P2P) network. This mechanism could be used to distribute additional malware to and from infected machines.
To connect to other infected computers, Win32/Conficker.D opens four ports on each available network interface. It opens two TCP and two UDP ports. The port numbers of the first TCP and UDP ports are calculated based on the IP address of the network interface. The second TCP and UDP ports are calculated based on the IP address of the network interface as well as the current week, leading to this second set of ports to change on a weekly basis. In short, while the first set of ports is constant and remain open week after week, the second set changes weekly.
When computing for the current week, Win32/Conficker.D attempts to determine the time in GMT so that all port changes occur at the same time.
Both TCP listening ports behave in an identical fashion, as do both UDP listening ports. These ports are used by an infected computer to communicate with other computers also infected with Win32/Conficker.D.
Additional Information
While investigating this threat, minor revisions of this variant were identified. The differences are subtle and are noted above in this description with '*'. Below are example SHA1 hash details for known Win32/Conficker.D versions:
Example SHA1 / MD5 of an early Win32/Conficker.D version:
97256A110C2D1910278F057034B5716448DC04E8 / 5E279EF7FCB58F841199E0FF55CDEA8B
Example SHA1 / MD5 of the newer Win32/Conficker.D version:
76B9A3D03A095B7841A0317FE8A6EAF74472E195 / A54C1E15B91DDD22DD70E3AC38EECB15
Analysis by Vincent Tiu, Aaron Putnam, and Jireh Sanico
Take the following steps to help prevent infection on your system:
-
Enable a firewall on your computer.
-
-
Use up-to-date antivirus software.
-
Use caution when opening attachments and accepting file transfers.
-
Use caution when clicking on links to web pages.
-
Protect yourself against social engineering attacks.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall.
To turn on the Windows Firewall in Windows Vista
-
Click Start, and click Control Panel.
-
Click Security.
-
Click Turn Windows Firewall on or off.
-
Select On.
-
Click OK.
To turn on the Internet Connection Firewall in Windows XP
-
Click Start, and click Control Panel.
-
Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
-
Click Change Windows Firewall Settings.
-
Select On.
-
Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor websites.
You can use the Automatic Updates feature in Windows to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows Vista
-
Click Start, and click Control Panel.
-
Click System and Maintainance.
-
Click Windows Updates.
-
Select a setting. Microsoft recommends selecting Install updates automatically and choose a time that is convenient for you. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
To turn on Automatic Updates in Windows XP
-
Click Start, and click Control Panel.
-
Click System.
-
Click Automatic Updates.
-
Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Use Strong Administrator Passwords
Microsoft also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords. More information is available
here.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information,
see http://www.microsoft.com/protect/computer/viruses/vista.mspx.
Use caution when opening attachments and accepting file transfers
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.
Use caution when clicking on links to web pages
Exercise caution with links to web pages that you receive from unknown sources, especially if the links are to a web page that you are not familiar with or are suspicious of. Malicious software may be installed in your system simply by visiting a web page with harmful content.
Avoid downloading pirated software
Threats may also be bundled with software and files that are available for download on various torrent sites. Downloading "cracked" or "pirated" software from these sites carries not only the risk of being infected with malware, but is also illegal. For more information. please see our article '
The risks of obtaining and using pirated software'.
Protect yourself from social engineering attacks
While attackers may attempt to exploit vulnerabilities in hardware or software in order to compromise a system, they also attempt to exploit vulnerabilities in human behavior in order to do the same. When an attacker attempts to take advantage of human behavior in order to persuade the affected user to perform an action of the attacker's choice, it is known as 'social engineering'. Essentially, social engineering is an attack against the human interface of the targeted system. For more information, please see our article '
What is social engineering?'.
Use Strong Passwords
Attackers may try to gain access to your Windows account by guessing your password. It is therefore important that you use a strong password – one that cannot be easily guessed by an attacker. A strong password is one that has at least 8 characters, and combines letters, numbers, and symbols. For more information, see
http://www.microsoft.com/protect/yourself/password/create.mspx.
