Worm:Win32/Conficker.B
is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.
Installation
Worm:Win32/Conficker.B
attempts to copy itself in the Windows system folder as a hidden DLL file using a random name. If the attempt fails, it may then attempt to copy itself with the same parameters in the following folders:
-
%ProgramFiles%\Internet Explorer
-
%ProgramFiles%\Movie Maker
It creates the following registry entry to ensure that its dropped copy is run every time Windows starts:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random string>"
With data: "rundll32.exe <system folder>\<malware file name>.dll,<malware parameters>"
It may also load itself as a service that is launched when the netsvcs group is loaded by the system file svchost.exe.
It may also load itself as a fake service by registering itself under the following key:
HKLM\SYSTEM\CurrentControlSet\Services
It may use a display name that is created by combining two of the following strings:
-
Boot
-
Center
-
Config
-
Driver
-
Helper
-
Image
-
Installer
-
Manager
-
Microsoft
-
Monitor
-
Network
-
Security
-
Server
-
Shell
-
Support
-
System
-
Task
-
Time
-
Universal
-
Update
-
Windows
It may also combine random characters to create the display name.
Spreads Via...
Network Shares with Weak Passwords
Worm:Win32/Conficker.B
attempts to infect machines within the network.
It first attempts to drop a copy of itself in a target machine's ADMIN$ share using the credentials of the currently logged-on user.
If this method is unsuccessful, for example, the current user does not have the necessary rights, then it instead obtains a list of user accounts on the target machine. It then attempts to connect to the target machine using each user name and the following weak passwords:
-
00000000
-
0000000
-
00000
-
0000
-
000
-
00
-
0987654321
-
0
-
11111111
-
1111111
-
111111
-
11111
-
1111
-
111
-
11
-
123123
-
12321
-
123321
-
1234567890
-
123456789
-
12345678
-
1234567
-
123456
-
12345
-
1234
-
1234abcd
-
1234qwer
-
123
-
123abc
-
123asd
-
123qwe
-
12
-
1
-
1q2w3e
-
21
-
22222222
-
2222222
-
222222
-
22222
-
2222
-
222
-
22
-
2
-
321
-
33333333
-
3333333
-
333333
-
33333
-
3333
-
333
-
33
-
3
-
4321
-
44444444
-
4444444
-
444444
-
44444
-
4444
-
444
-
44
-
4
-
54321
-
55555555
-
5555555
-
555555
-
55555
-
5555
-
555
-
55
-
5
-
654321
-
66666666
-
6666666
-
666666
-
66666
-
6666
-
666
-
66
-
6
-
7654321
-
77777777
-
7777777
-
777777
-
77777
-
7777
-
777
-
77
-
7
-
87654321
-
88888888
-
8888888
-
888888
-
88888
-
8888
-
888
-
88
-
8
-
987654321
-
99999999
-
9999999
-
999999
-
99999
-
9999
-
999
-
99
-
9
-
a1b2c3
-
aaa
-
aaaa
-
aaaaa
-
abc123
-
academia
-
access
-
account
-
admin123
-
admin12
-
admin1
-
Admin
-
adminadmin
-
administrator
-
anything
-
asddsa
-
asdfgh
-
asdsa
-
asdzxc
-
backup
-
boss123
-
business
-
campus
-
changeme
-
cluster
-
codename
-
codeword
-
coffee
-
computer
-
controller
-
cookie
-
customer
-
database
-
default
-
desktop
-
domain
-
example
-
exchange
-
explorer
-
file
-
files
-
foo
-
foobar
-
foofoo
-
forever
-
freedom
-
fuck
-
games
-
home123
-
home
-
ihavenopass
-
Internet
-
intranet
-
job
-
killer
-
letitbe
-
letmein
-
Login
-
lotus
-
love123
-
manager
-
market
-
money
-
monitor
-
mypass
-
mypassword
-
mypc123
-
nimda
-
nobody
-
nopass
-
nopassword
-
nothing
-
office
-
oracle
-
owner
-
pass123
-
pass12
-
pass1
-
pass
-
passwd
-
password123
-
password12
-
password1
-
Password
-
private
-
public
-
pw123
-
q1w2e3
-
qazwsx
-
qazwsxedc
-
qqq
-
qqqq
-
qqqqq
-
qwe123
-
qweasd
-
qweasdzxc
-
qweewq
-
qwerty
-
qwewq
-
root123
-
root
-
rootroot
-
sample
-
secret
-
secure
-
security
-
server
-
shadow
-
share
-
sql
-
student
-
super
-
superuser
-
supervisor
-
system
-
temp123
-
temp
-
temporary
-
temptemp
-
test123
-
test
-
testtest
-
unknown
-
web
-
windows
-
work123
-
work
-
xxx
-
xxxx
-
xxxxx
-
zxccxz
-
zxcvb
-
zxcvbn
-
zxcxz
-
zzz
-
zzzz
-
zzzzz
If Win32/Conficker.B successfully accesses the target machine, for example, if a combination of any of the obtained user names and one of the above passwords allows write privileges to the machine, then it copies itself to an accessible admin share as ADMIN$\System32\<random letters>.dll.
Remote scheduled job
After compromising a machine remotely, Win32/Conficker.B creates a remotely schedule job with the command “rundll32.exe <malware file name>.dll,<malware parameters>" to activate the copy, as shown in the images below:
Mapped and Removable Drives
Worm:Win32/Conficker.B
may drop a copy of itself in all mapped and removable drives using a random file name. The worm creates a folder in the root of these drives named "RECYCLER" (in Windows XP and previous versions, the folder "RECYCLER" references the "Recycle Bin"). Next, the worm copies itself as the following:
<drive:>\RECYCLER\S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d\<random letters>.dll
Where %d is a randomly chosen letter. The worm also drops a corresponding autorun.inf file, which enables the worm copy to execute if the drive is accessed and Autoplay is enabled. This autorun.inf file is detected as Worm:Win32/Conficker.B!inf.
The image below illustrates how a user could potentially launch the worm when accessing an infected share:
Note that the language in the first option suggests the user could 'Open folder to view files' however the option is under 'Install or run program', an indication that opening the folder will actually execute an application. Another hint that the action is to execute the worm is the text 'Publisher not specified'. The highlighted choice under 'General options' in the image above would allow a user to view the share and not execute the worm copy.
MS08-067 HTTP 'call back'
Worm:Win32/Conficker.B
spreads to systems that are not yet patched against a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, the worm instructs the target computer to download a copy of the worm from the host computer via HTTP protocol using the random port between 1024 and 10000 opened by the worm. The vulnerability is documented in Microsoft Security Bulletin MS08-067.
Payload
Modifies system settings
Worm:Win32/Conficker.B
changes system settings so that the user cannot view hidden files. It does this by modifying the following registry entry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
Sets value: "CheckedValue"
With data: "0"
It also modifies the system's TCP settings to allow a large number of simultaneous connections, where 0x00FFFFFE is hexadecimal and equals 16,777,214 decimal value:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Sets value: "TcpNumConnections"
With data: "0x00FFFFFE"
The worm drops a temp file to aid restarting the TCP/IP service for the modification to take effect. The dropped file is detected as Trojan:WinNT/Conficker.B.
Disables TCP/IP tuning, terminates and disables services
Win32/Conficker.B disables Windows Vista TCP/IP auto-tuning by executing the following command:
netsh interface tcp set global autotuning=disabled
This worm terminates several important system services, such as the following:
-
Windows Security Center Service (wscsvc) – notifies users of security settings (for example, Windows update, Firewall and AntiVirus)
-
Windows Update Auto Update Service (wuauserv)
-
Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
-
Windows Defender (WinDefend)
-
Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
-
Windows Error Reporting Service (wersvc)
Win32/Conficker.B deletes the registry key for Windows Defender, disabling it from running when the system starts.
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Deletes value: "Windows Defender"
It also disables any process that has a module name containing any of the following strings from sending network traffic or data (note that most of these strings are related to antivirus and security software, thus effectively disabling the products from acquiring signature updates, and possibly preventing users from accessing websites with these strings in the URL):
-
ahnlab
-
arcabit
-
avast
-
avira
-
castlecops
-
centralcommand
-
clamav
-
comodo
-
computerassociates
-
cpsecure
-
defender
-
drweb
-
emsisoft
-
esafe
-
eset
-
etrust
-
ewido
-
f-prot
-
f-secure
-
fortinet
-
gdata
-
grisoft
-
hacksoft
-
hauri
-
ikarus
-
jotti
-
k7computing
-
kaspersky
-
malware
-
mcafee
-
microsoft
-
networkassociates
-
nod32
-
norman
-
norton
-
panda
-
pctools
-
prevx
-
quickheal
-
rising
-
rootkit
-
securecomputing
-
sophos
-
spamhaus
-
spyware
-
sunbelt
-
symantec
-
threatexpert
-
trendmicro
-
virus
-
wilderssecurity
-
windowsupdate
Resets system restore point
Win32/Conficker.B may reset the computer's system restore point, potentially defeating recovery using System Restore.
Checks for Internet connectivity
Win32/Conficker.B checks if the system has an Internet connection by attempting to connect to the following websites:
-
aol.com
-
cnn.com
-
ebay.com
-
msn.com
-
myspace.com
Downloads arbitrary files
Depending on the system date, Win32/Conficker.B may build a URL to download files starting on January 1, 2009. The generated URL has a domain name that is based on the current system date. It uses one of the following top level domains:
-
.cc
-
.cn
-
.ws
-
.com
-
.net
-
.org
-
.info
-
.biz
For example, 'aaovt.com' or 'aasmlhzbpqe.com'.
The generated domain name is first converted to the dot notation, for example, 'aaovt.com' may be converted to '192.168.16.0'. This generated IP address is then used for the URL, according to the following pattern:
http://<pseudo-random
generated IP>/search?q=%d
Some examples of the constructed URLs are as follows:
-
aaovt.com
-
aasmlhzbpqe.com
-
addgv.com
-
ajsxarj.org
-
apwzjq.ws
-
aradfkyqv.org
-
arztiwbeh.cc
-
baixumxhmks.ws
-
bfwtjrto.org
-
bfwvzxd.info
-
bmaeqlhulq.cc
-
byiiureq.cn
-
cbizghsq.cc
-
cbkenfa.org
-
ciabjhmosz.cc
-
cruutiitz.com
-
ctnlczp.org
-
ctohyudfbm.cn
-
dcopyoojw.com
-
djdgnrbacwt.ws
-
dmwemynbrmz.org
-
dofmrfqvis.cn
-
doxkknuq.org
-
dozjritemv.info
-
dyjsialozl.ws
-
eaieijqcqlv.org
-
eewxsvtkyn.net
-
eidqdorgmbr.net
-
eiqzepxacyb.cn
-
ejdmzbzzaos.biz
-
ejmxd.com
-
ejzrcqqw.net
-
ekusgwp.cc
-
eprhdsudnnh.biz
-
evmwgi.ws
-
falru.net
-
fctkztzhyr.org
-
fdkjan.net
-
fhfntt.org
-
fhspuip.biz
-
fjpzgrf.net
-
fkzdr.cn
-
ftjggny.com
-
fuimrawg.info
-
ghdokt.cn
-
glbmkbmdax.biz
-
gmhkdp.org
-
gocpopuklm.org
-
grwemw.biz
-
gtzaick.cc
-
gxzlgsoa.info
-
gypqfjho.info
-
hduyjkrouop.info
-
hfgxlzjbfka.biz
-
hkgzoi.com
-
hliteqmjyb.net
-
hmdtv.ws
-
hoyolhmnzbs.net
-
hprfux.cc
-
hqbttlqr.org
-
hueminaii.org
-
hvogkfiq.info
-
ifylodtv.ws
-
iivsjpfumd.ws
-
ilksbuv.cn
-
imuez.biz
-
izxvu.biz
-
jaumgubte.biz
-
jhbeiiizlfk.cn
-
jrdzx.cc
-
jshkqnnkeao.biz
-
judhei.com
-
jxfiysai.cc
-
jzoowlbehqn.info
-
karhhse.com
-
kbyjkjkbb.info
-
kjsxokxg.org
-
krudjhvk.org
-
kuiwtbfa.org
-
lauowjef.cn
-
lhirjymcod.net
-
liugwg.net
-
lksvlouw.ws
-
llgkuclk.info
-
lnpsesbcm.cn
-
lssvxqkqfmf.org
-
lygskbx.cc
-
mafwkeat.cn
-
mgqrrsxhnj.com
-
mhklpsbuh.cc
-
mknuzwq.cc
-
mqjkzbov.net
-
myfhc.com
-
navjrj.org
-
nbpykcdsoms.com
-
ncbeaucjxd.org
-
npfxmztnaw.cn
-
nuiptipwjj.cc
-
nvpmfnlsh.ws
-
oagwongs.ws
-
odvsz.net
-
okkpuzqck.ws
-
oqolfrjq.cn
-
orduhippw.cn
-
orpngykld.com
-
orxfq.ws
-
othobnrx.org
-
otnqqaclsgx.info
-
otukeesevg.biz
-
pbfhhhvzkp.cc
-
pbpigz.cn
-
pcnpxbg.cc
-
pdfrbmxh.biz
-
pfdthjxs.cc
-
phaems.cc
-
phetxwmjqsj.cc
-
pmanbkyshj.ws
-
pnjlx.cc
-
ppzwqcdc.cc
-
psabcdq.cc
-
ptdlwsi.cn
-
pvowgkgjmu.biz
-
pwsjbdkdewv.info
-
qbuic.com
-
qdteltj.org
-
qeotxrp.com
-
qfeqsagbjs.biz
-
qfhqgciz.org
-
qfogch.com
-
qijztpxaxk.cn
-
qlqrgqordj.ws
-
qpiivu.cn
-
qpuowsw.cc
-
qqbbg.cc
-
qrrzna.net
-
qvrgznvvwz.ws
-
qwdervbq.org
-
qwnydyb.cc
-
qzbpqbhzmp.com
-
rkfdx.org
-
rpphv.org
-
rskvraofl.info
-
ryruatsot.biz
-
sdkhznqj.info
-
sezpo.org
-
sfozmwybm.com
-
skwmyjq.org
-
solmpem.com
-
sqmsrvnjits.cc
-
stlgegbye.net
-
syryb.org
-
tdwrkv.ws
-
tfpazwas.cc
-
tigeseo.org
-
tjyhrcfxuc.cn
-
tkbyxr.ws
-
tlmncy.cn
-
tmlwmvv.ws
-
tnerivsvs.net
-
tomxoa.org
-
trpkeyqapp.net
-
tyjtkayz.com
-
uazlwwiv.org
-
ucgqvyjgpk.cn
-
uixvflbyoyi.biz
-
ujawdcoqgs.org
-
upxva.net
-
uuvjh.biz
-
uzugvbnvs.cn
-
vgmkhtux.ws
-
vjllpcucnp.cn
-
vkgxgxto.com
-
vwiualt.com
-
waxggypgu.org
-
wccckyfrtf.net
-
wfdnvlrcb.org
-
whjworuc.com
-
wmiwxt.biz
-
wohms.biz
-
wqqfbutswyf.info
-
wsdlzmpbwhj.net
-
xiclytmeger.cc
-
xkjdzqbxg.cn
-
xldbmaztfu.biz
-
xlwcv.cn
-
xqbovbdzjz.info
-
xwbubjmhinr.info
-
yfpdcquil.info
-
yfybk.ws
-
yhrpqjhp.biz
-
yoblqeruib.org
-
yoyze.cc
-
yshpve.cc
-
ysrixiwyd.com
-
ytfvksowgul.org
-
ywsrtetv.org
-
yzymygez.biz
-
zcwjkxynr.com
-
zfgufbxi.net
-
zkimm.info
-
zmoeuxuh.ws
-
zokxy.net
-
zqrsbqzhh.cc
-
zttykt.info
-
zutykstmrxq.ws
It checks the system date if it is January 1, 2009 or later. It also checks the following websites for the date, presumably for verification:
-
baidu.com
-
google.com
-
yahoo.com
-
msn.com
-
ask.com
-
w3.org
Additional Information
The name of this threat was derived by selecting fragments of the domain 'trafficconverter.biz', a string found in Worm:Win32/Conficker.A:
(fic)(con)(er) => (con)(fic)(+k)(er) => conficker
Analysis by Jireh Sanico
