Follow:

 

Trojan:WinNT/Conficker.B


Trojan:WinNT/Conficker.B is a trojan component of Worm:Win32/Conficker that aids in restarting the TCP/IP service.
 
Microsoft strongly recommends that users apply the update referred to in  Security Bulletin MS08-067 immediately.
 
Microsoft also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords. More information is available here.
 
Microsoft also recommends that users apply an update that changes the AutoPlay functionality in Windows to prevent this worm from spreading via USB drives. More information is available in the Microsoft Knowledgebase Article KB971029.


What to do now

Microsoft strongly recommends that users apply the update referred to in  Security Bulletin MS08-067 immediately.
 
Microsoft also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords. More information is available here.
 
Microsoft also recommends that users apply an update that changes the AutoPlay functionality in Windows to prevent this worm from spreading via USB drives. More information is available in the Microsoft Knowledgebase Article KB971029.
 
To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.
 
Computers infected by this worm may be unable to connect to Web sites that provide scan and removal support, security product updates or general support. From a non-infected computer, users should view the following two articles provided in Microsoft Help and Support to assist in removal of Win32/Conficker:
 
http://support.microsoft.com/kb/962007 - Virus alert for Win32/Conficker.B and manual removal instructions
http://support.microsoft.com/kb/891716 - Deployment of MSRT in an enterprise environment

Threat behavior

Trojan:WinNT/Conficker.B is a trojan component of Worm:Win32/Conficker that aids in restarting the TCP/IP service.
Installation
This trojan component is dropped by Worm:Win32/Conficker, a fast-spreading worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.
 
Worm:Win32/Conficker modifies the system's TCP settings to allow a large number of simultaneous connections, where 0x00FFFFFE is hexadecimal and equals 16,777,214 decimal value:
 
Adds value: "TcpNumConnections"
With data: "0x00FFFFFE"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
 
The worm drops a temp file to aid restarting the TCP/IP service for the modification to take effect. The dropped file is detected as Trojan:WinNT/Conficker.B.
Additional Information
For more information about Worm:Win32/Conficker, please see our description elsewhere in the encyclopedia.
 
Analysis by Shali Hsieh

Symptoms

System Changes
Presence of WinNT/Conficker is a good indication that the computer is infected with Worm:Win32/Conficker. The following system changes may indicate the presence of this malware:
  • The following services are disabled or fail to run:
  • Windows Update Service
    Background Intelligent Transfer Service
    Windows Defender
    Windows Error Reporting Services
  • Some accounts may be locked out due to the following registry modification, which may flood the network with connections:
  • HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    "TcpNumConnections" = "0x00FFFFFE"
  • Users may not be able to connect to websites or online services that contain the following strings:
  • virus
    spyware
    malware
    rootkit
    defender
    microsoft
    symantec
    norton
    mcafee
    trendmicro
    sophos
    panda
    etrust
    networkassociates
    computerassociates
    f-secure
    kaspersky
    jotti
    f-prot
    nod32
    eset
    grisoft
    drweb
    centralcommand
    ahnlab
    esafe
    avast
    avira
    quickheal
    comodo
    clamav
    ewido
    fortinet
    gdata
    hacksoft
    hauri
    ikarus
    k7computing
    norman
    pctools
    prevx
    rising
    securecomputing
    sunbelt
    emsisoft
    arcabit
    cpsecure
    spamhaus
    castlecops
    threatexpert
    wilderssecurity
    windowsupdate

Prevention


Alert level: Severe
First detected by definition: 1.49.1183.0
Latest detected by definition: 1.59.982.0 and higher
First detected on: Dec 30, 2008
This entry was first published on: Feb 26, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
No known aliases