Follow:

 

Worm:Win32/Conficker.C


Microsoft security software detects and removes this threat.

This worm spreads by infecting computers on your network, removable drives (such as USB flash drives), and weak passwords.

It disables important system services and security products, such as antimalware or antivirus software.



What to do now

You should:

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:

If your computer is infected by Conficker, it might not be unable to connect to websites related to security applications and services that can help remove it (for example, downloading antivirus updates may fail). In this case you will need to use an uninfected computer to download any appropriate updates or tools and then transfer these to the infected computer.

Microsoft Help and Support has provided a detailed guide to removing a Conficker infection from an affected computer, either manually or by using the Malicious Software Removal Tool (MSRT).

For detailed instructions on how to manually remove Conficker, view the following article using an uninfected computer:

More information about deploying MSRT in an enterprise environment can be found in the following article:

Threat behavior

Win32/Conficker.C is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (svchost.exe). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.
Installation
Win32/Conficker.C attempts to copy itself in the Windows system folder as a hidden DLL file using a random name. If the attempt fails, it may then attempt to copy itself into the following folders:

It creates the following registry entry to ensure that it is run whenever you start your computer:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random string>"
With data: "rundll32.exe<system folder>\<malware file name>.dll,<malware parameters>"

It may also load itself as a service that is launched when the netsvcs group is loaded by the system file svchost.exe.

It may also load itself as a fake service by registering itself under the registry key HKLM\SYSTEM\CurrentControlSet\Services.

It may use a display name that is created by combining two of the following strings:

  • Boot
  • Center
  • Config
  • Driver
  • Helper
  • Image
  • Installer
  • Manager
  • Microsoft
  • Monitor
  • Network
  • Security
  • Server
  • Shell
  • Support
  • System
  • Task
  • Time
  • Universal
  • Update
  • Windows

It may also combine random characters to create the display name.

The worm patches NETAPI32.DLL in memory to prevent re-infection and further exploitation of the vulnerability addressed by Microsoft Security Bulletin MS08-067.
Spreads via...

Network shares with weak passwords

Worm:Win32/Conficker.C attempts to infect machines within the network.

It first attempts to drop a copy of itself in a computer's ADMIN$ share using the credentials of the currently logged-on user.

If this method is unsuccessful, for example, the current user does not have the necessary rights, it instead obtains a list of user accounts on the target machine. It then attempts to connect to the target machine using each user name and the following weak passwords:

  • 00000000
  • 0000000
  • 00000
  • 0000
  • 000
  • 00
  • 0987654321
  • 0
  • 11111111
  • 1111111
  • 111111
  • 11111
  • 1111
  • 111
  • 11
  • 123123
  • 12321
  • 123321
  • 1234567890
  • 123456789
  • 12345678
  • 1234567
  • 123456
  • 12345
  • 1234
  • 1234abcd
  • 1234qwer
  • 123
  • 123abc
  • 123asd
  • 123qwe
  • 12
  • 1
  • 1q2w3e
  • 21
  • 22222222
  • 2222222
  • 222222
  • 22222
  • 2222
  • 222
  • 22
  • 2
  • 321
  • 33333333
  • 3333333
  • 333333
  • 33333
  • 3333
  • 333
  • 33
  • 3
  • 4321
  • 44444444
  • 4444444
  • 444444
  • 44444
  • 4444
  • 444
  • 44
  • 4
  • 54321
  • 55555555
  • 5555555
  • 555555
  • 55555
  • 5555
  • 555
  • 55
  • 5
  • 654321
  • 66666666
  • 6666666
  • 666666
  • 66666
  • 6666
  • 666
  • 66
  • 6
  • 7654321
  • 77777777
  • 7777777
  • 777777
  • 77777
  • 7777
  • 777
  • 77
  • 7
  • 87654321
  • 88888888
  • 8888888
  • 888888
  • 88888
  • 8888
  • 888
  • 88
  • 8
  • 987654321
  • 99999999
  • 9999999
  • 999999
  • 99999
  • 9999
  • 999
  • 99
  • 9
  • a1b2c3
  • aaa
  • aaaa
  • aaaaa
  • abc123
  • academia
  • access
  • account
  • admin123
  • admin12
  • admin1
  • Admin
  • adminadmin
  • administrator
  • anything
  • asddsa
  • asdfgh
  • asdsa
  • asdzxc
  • backup
  • boss123
  • business
  • campus
  • changeme
  • cluster
  • codename
  • codeword
  • coffee
  • computer
  • controller
  • cookie
  • customer
  • database
  • default
  • desktop
  • domain
  • example
  • exchange
  • explorer
  • file
  • files
  • foo
  • foobar
  • foofoo
  • forever
  • freedom
  • fuck
  • games
  • home123
  • home
  • ihavenopass
  • Internet
  • intranet
  • job
  • killer
  • letitbe
  • letmein
  • Login
  • lotus
  • love123
  • manager
  • market
  • money
  • monitor
  • mypass
  • mypassword
  • mypc123
  • nimda
  • nobody
  • nopass
  • nopassword
  • nothing
  • office
  • oracle
  • owner
  • pass123
  • pass12
  • pass1
  • pass
  • passwd
  • password123
  • password12
  • password1
  • Password
  • private
  • public
  • pw123
  • q1w2e3
  • qazwsx
  • qazwsxedc
  • qqq
  • qqqq
  • qqqqq
  • qwe123
  • qweasd
  • qweasdzxc
  • qweewq
  • qwerty
  • qwewq
  • root123
  • root
  • rootroot
  • sample
  • secret
  • secure
  • security
  • server
  • shadow
  • share
  • sql
  • student
  • super
  • superuser
  • supervisor
  • system
  • temp123
  • temp
  • temporary
  • temptemp
  • test123
  • test
  • testtest
  • unknown
  • web
  • windows
  • work123
  • work
  • xxx
  • xxxx
  • xxxxx
  • zxccxz
  • zxcvb
  • zxcvbn
  • zxcxz
  • zzz
  • zzzz
  • zzzzz

If Win32/Conficker.C successfully accesses the target machine, for example, if a combination of any of the user names and one of the above passwords allows write privileges to the machine, it copies itself to an accessible admin share as ADMIN$\System32\<random letters>.dll.

Remote scheduled job

After remotely infecting a computer, Win32/Conficker.C creates a remotely scheduled job with the command“rundll32.exe <malware file name>.dll,<malware parameters>" to activate the copy, as shown in the images below:

Mapped and Removable Drives

Worm:Win32/Conficker.C may drop a copy of itself in all mapped and removable drives using a random file name. The worm creates a folder in the root of these drives named "RECYCLER" (in Windows XP and previous versions, the folder "RECYCLER" references the "Recycle Bin"). Next, the worm copies itself as the following:

<drive:>\RECYCLER\S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d\<random letters>.dll

Where %d is a randomly chosen letter. The worm also drops a corresponding autorun.inf file, which enables the worm copy to execute if the drive is accessed and Autoplay is enabled. This autorun.inf file is detected as Worm:Win32/Conficker.B!inf.

The image below illustrates how a user could potentially launch the worm when accessing an infected share:

Note that the language in the first option suggests the user could "Open folder to view files" however the option is under "Install or run program", an indication that opening the folder will actually run an application. Another hint that the action is to run the worm is the text "Publisher not specified". The highlighted choice under "General options" in the image above would allow a user to view the share and not run the worm.

MS08-067 HTTP call back

Worm:Win32/Conficker.C spreads to systems that are not yet patched against a vulnerability in the Windows Server service (svchost.exe). If the vulnerability is successfully exploited, the worm instructs the target computer to download a copy of the worm from the host computer via HTTP using the random port between 1024 and 10000 opened by the worm. The vulnerability is documented in Microsoft Security Bulletin MS08-067.

Payload

Downloads and runs files

Win32/Conficker.C checks for a specific pattern in incoming shellcode (to identify if the origin is valid) and a URL to download an updated payload from. The payload only runs if it is successfully validated by the malware.

For non-Windows 2000 machines, the worm downloads the file and runs it if it passes authentication.

Win32/Conficker.C creates a named pipe with the following name on Windows 2000:

\\.\pipe\System_<computer name>7

The worm creates a thread that continuously accepts URLs from the pipe to download, authenticate, and run files.

Modifies system settings

Win32/Conficker.C changes system settings so you cannot view hidden files. It does this by modifying the following registry entry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
Sets value: "CheckedValue"
With data: "0"

It also modifies your computer's TCP settings to allow a large number of simultaneous connections:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Sets value: "TcpNumConnections"
With data: "0x00FFFFFE"

The worm drops a temporary file to aid restarting the TCP/IP service for the modification to take effect. The dropped file is detected as Trojan:WinNT/Conficker.B.

Disables TCP/IP tuning, ends and disables services

Win32/Conficker.C disables Windows Vista TCP/IP auto-tuning by running the following command:

netsh interface tcp set global autotuning=disabled

This worm ends several important system services, such as the following:

  • Windows Security Center Service (wscsvc) – notifies users of security settings (for example, Windows update, Firewall and antivirus)
  • Windows Update Auto Update Service (wuauserv)
  • Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
  • Windows Defender (WinDefend)
  • Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
  • Windows Error Reporting Service (wersvc)

Win32/Conficker.C deletes the registry key for Windows Defender, disabling it from running when the system starts.

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Deletes value: "Windows Defender"

It also disables any process that has a module name containing any of the following strings from sending network traffic or data (it does this possibly to prevent updates to antivirus software to prevent you from accessing security-related websites):

  • ahnlab
  • arcabit
  • avast
  • avira
  • castlecops
  • centralcommand
  • clamav
  • comodo
  • computerassociates
  • cpsecure
  • defender
  • drweb
  • emsisoft
  • esafe
  • eset
  • etrust
  • ewido
  • f-prot
  • f-secure
  • fortinet
  • gdata
  • grisoft
  • hacksoft
  • hauri
  • ikarus
  • jotti
  • k7computing
  • kaspersky
  • malware
  • mcafee
  • microsoft
  • networkassociates
  • nod32
  • norman
  • norton
  • panda
  • pctools
  • prevx
  • quickheal
  • rising
  • rootkit
  • securecomputing
  • sophos
  • spamhaus
  • spyware
  • sunbelt
  • symantec
  • threatexpert
  • trendmicro
  • virus
  • wilderssecurity
  • windowsupdate

Resets system restore point

Win32/Conficker.C may reset your computer's system restore point, possibly in an attempt to preveng you from using System Restore.

Checks for Internet connectivity

Win32/Conficker.C checks if the system has an Internet connection by attempting to connect to the following websites:

  • aol.com
  • cnn.com
  • ebay.com
  • msn.com
  • myspace.com

Downloads arbitrary files

Depending on the system date, Win32/Conficker.C may build a URL to download files starting on January 1, 2009. The generated URL has a domain name that is based on the current system date. It uses one of the following top level domains:

  • .cc
  • .cn
  • .ws
  • .com
  • .net
  • .org
  • .info
  • .biz

For example, aaovt.com or aasmlhzbpqe.com.

It also checks the following websites for the date, presumably for verification:

  • baidu.com
  • google.com
  • yahoo.com
  • msn.com
  • ask.com
  • w3.org

The generated domain name is first converted to octets (dot notation). For example, aaovt.com may be converted to 192.168.16.0. This generated IP address is then used for the URL with the following pattern:

http://<pseudo-random generated IP>/search?q=%d

Some examples of the constructed URLs are:

  • aaovt.com
  • aasmlhzbpqe.com
  • addgv.com
  • ajsxarj.org
  • apwzjq.ws
  • aradfkyqv.org
  • arztiwbeh.cc
  • baixumxhmks.ws
  • bfwtjrto.org
  • bfwvzxd.info
  • bmaeqlhulq.cc
  • byiiureq.cn
  • cbizghsq.cc
  • cbkenfa.org
  • ciabjhmosz.cc
  • cruutiitz.com
  • ctnlczp.org
  • ctohyudfbm.cn
  • dcopyoojw.com
  • djdgnrbacwt.ws
  • dmwemynbrmz.org
  • dofmrfqvis.cn
  • doxkknuq.org
  • dozjritemv.info
  • dyjsialozl.ws
  • eaieijqcqlv.org
  • eewxsvtkyn.net
  • eidqdorgmbr.net
  • eiqzepxacyb.cn
  • ejdmzbzzaos.biz
  • ejmxd.com
  • ejzrcqqw.net
  • ekusgwp.cc
  • eprhdsudnnh.biz
  • evmwgi.ws
  • falru.net
  • fctkztzhyr.org
  • fdkjan.net
  • fhfntt.org
  • fhspuip.biz
  • fjpzgrf.net
  • fkzdr.cn
  • ftjggny.com
  • fuimrawg.info
  • ghdokt.cn
  • glbmkbmdax.biz
  • gmhkdp.org
  • gocpopuklm.org
  • grwemw.biz
  • gtzaick.cc
  • gxzlgsoa.info
  • gypqfjho.info
  • hduyjkrouop.info
  • hfgxlzjbfka.biz
  • hkgzoi.com
  • hliteqmjyb.net
  • hmdtv.ws
  • hoyolhmnzbs.net
  • hprfux.cc
  • hqbttlqr.org
  • hueminaii.org
  • hvogkfiq.info
  • ifylodtv.ws
  • iivsjpfumd.ws
  • ilksbuv.cn
  • imuez.biz
  • izxvu.biz
  • jaumgubte.biz
  • jhbeiiizlfk.cn
  • jrdzx.cc
  • jshkqnnkeao.biz
  • judhei.com
  • jxfiysai.cc
  • jzoowlbehqn.info
  • karhhse.com
  • kbyjkjkbb.info
  • kjsxokxg.org
  • krudjhvk.org
  • kuiwtbfa.org
  • lauowjef.cn
  • lhirjymcod.net
  • liugwg.net
  • lksvlouw.ws
  • llgkuclk.info
  • lnpsesbcm.cn
  • lssvxqkqfmf.org
  • lygskbx.cc
  • mafwkeat.cn
  • mgqrrsxhnj.com
  • mhklpsbuh.cc
  • mknuzwq.cc
  • mqjkzbov.net
  • myfhc.com
  • navjrj.org
  • nbpykcdsoms.com
  • ncbeaucjxd.org
  • npfxmztnaw.cn
  • nuiptipwjj.cc
  • nvpmfnlsh.ws
  • oagwongs.ws
  • odvsz.net
  • okkpuzqck.ws
  • oqolfrjq.cn
  • orduhippw.cn
  • orpngykld.com
  • orxfq.ws
  • othobnrx.org
  • otnqqaclsgx.info
  • otukeesevg.biz
  • pbfhhhvzkp.cc
  • pbpigz.cn
  • pcnpxbg.cc
  • pdfrbmxh.biz
  • pfdthjxs.cc
  • phaems.cc
  • phetxwmjqsj.cc
  • pmanbkyshj.ws
  • pnjlx.cc
  • ppzwqcdc.cc
  • psabcdq.cc
  • ptdlwsi.cn
  • pvowgkgjmu.biz
  • pwsjbdkdewv.info
  • qbuic.com
  • qdteltj.org
  • qeotxrp.com
  • qfeqsagbjs.biz
  • qfhqgciz.org
  • qfogch.com
  • qijztpxaxk.cn
  • qlqrgqordj.ws
  • qpiivu.cn
  • qpuowsw.cc
  • qqbbg.cc
  • qrrzna.net
  • qvrgznvvwz.ws
  • qwdervbq.org
  • qwnydyb.cc
  • qzbpqbhzmp.com
  • rkfdx.org
  • rpphv.org
  • rskvraofl.info
  • ryruatsot.biz
  • sdkhznqj.info
  • sezpo.org
  • sfozmwybm.com
  • skwmyjq.org
  • solmpem.com
  • sqmsrvnjits.cc
  • stlgegbye.net
  • syryb.org
  • tdwrkv.ws
  • tfpazwas.cc
  • tigeseo.org
  • tjyhrcfxuc.cn
  • tkbyxr.ws
  • tlmncy.cn
  • tmlwmvv.ws
  • tnerivsvs.net
  • tomxoa.org
  • trpkeyqapp.net
  • tyjtkayz.com
  • uazlwwiv.org
  • ucgqvyjgpk.cn
  • uixvflbyoyi.biz
  • ujawdcoqgs.org
  • upxva.net
  • uuvjh.biz
  • uzugvbnvs.cn
  • vgmkhtux.ws
  • vjllpcucnp.cn
  • vkgxgxto.com
  • vwiualt.com
  • waxggypgu.org
  • wccckyfrtf.net
  • wfdnvlrcb.org
  • whjworuc.com
  • wmiwxt.biz
  • wohms.biz
  • wqqfbutswyf.info
  • wsdlzmpbwhj.net
  • xiclytmeger.cc
  • xkjdzqbxg.cn
  • xldbmaztfu.biz
  • xlwcv.cn
  • xqbovbdzjz.info
  • xwbubjmhinr.info
  • yfpdcquil.info
  • yfybk.ws
  • yhrpqjhp.biz
  • yoblqeruib.org
  • yoyze.cc
  • yshpve.cc
  • ysrixiwyd.com
  • ytfvksowgul.org
  • ywsrtetv.org
  • yzymygez.biz
  • zcwjkxynr.com
  • zfgufbxi.net
  • zkimm.info
  • zmoeuxuh.ws
  • zokxy.net
  • zqrsbqzhh.cc
  • zttykt.info
  • zutykstmrxq.ws
Analysis by Jireh Sanico

Symptoms

System Changes

The following system changes may indicate the presence of this malware:

  • The following services are disabled or fail to run:
    • Windows Update Service
    • Background Intelligent Transfer Service
    • Windows Defender
    • Windows Error Reporting Services
  • Some accounts may be locked out due to the following registry modification, which may flood the network with connections:
     
    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    Sets value: "TcpNumConnections
    With data: "0x00FFFFFE"
     
  • You may not be able to connect to websites or online services that contain the following strings:
    • virus
    • spyware
    • malware
    • rootkit
    • defender
    • microsoft
    • symantec
    • norton
    • mcafee
    • trendmicro
    • sophos
    • panda
    • etrust
    • networkassociates
    • computerassociates
    • f-secure
    • kaspersky
    • jotti
    • f-prot
    • nod32
    • eset
    • grisoft
    • drweb
    • centralcommand
    • ahnlab
    • esafe
    • avast
    • avira
    • quickheal
    • comodo
    • clamav
    • ewido
    • fortinet
    • gdata
    • hacksoft
    • hauri
    • ikarus
    • k7computing
    • norman
    • pctools
    • prevx
    • rising
    • securecomputing
    • sunbelt
    • emsisoft
    • arcabit
    • cpsecure
    • spamhaus
    • castlecops
    • threatexpert
    • wilderssecurity
    • windowsupdate

Prevention


Alert level: Severe
First detected by definition: 1.51.859.0
Latest detected by definition: 1.175.904.0 and higher
First detected on: Feb 21, 2009
This entry was first published on: Feb 21, 2009
This entry was updated on: Oct 08, 2013

This threat is also detected as:
  • TA08-297A (other)
  • CVE-2008-4250 (other)
  • VU827267 (other)
  • Conficker B++ (other)