is a trojan component of Worm:Win32/Conficker
that aids in restarting the TCP/IP service.
This trojan component is dropped by Worm:Win32/Conficker
, a fast-spreading worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.
Worm:Win32/Conficker modifies the system's TCP settings to allow a large number of simultaneous connections, where 0x00FFFFFE is hexadecimal and equals 16,777,214 decimal value:
Adds value: "TcpNumConnections"
With data: "0x00FFFFFE"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
The worm drops a temp file to aid restarting the TCP/IP service for the modification to take effect. The dropped file is detected as Trojan:WinNT/Conficker.B.
For more information about Worm:Win32/Conficker
, please see our description elsewhere in the encyclopedia.
Analysis by Shali Hsieh
Presence of WinNT/Conficker is a good indication that the computer is infected with Worm:Win32/Conficker. The following system changes may indicate the presence of this malware:
The following services are disabled or fail to run:
Windows Update Service
Background Intelligent Transfer Service
Windows Error Reporting Services
Some accounts may be locked out due to the following registry modification, which may flood the network with connections:
"TcpNumConnections" = "0x00FFFFFE"
Users may not be able to connect to websites or online services that contain the following strings: