Follow:

 

Worm:Win32/Conficker.B


Microsoft security software detects and removes this threat.

This worm makes changes to you PC and can disable important system services and security products, like antimalware or antivirus software.

It spreads by infecting PCs on your network, removable drives (like USB flash drives), and weak passwords.

Find out ways that malware can get on your PC.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

You can also visit the Microsoft virus and malware community or our advanced troubleshooting page for more help.

If you’re using Windows XP, see our Windows XP end of support page.

If your PC is infected by Conficker, it might not be unable to connect to websites related to security applications and services that can help remove it. For example, downloading antivirus updates may fail. In this case you will need to use an uninfected PC to download any appropriate updates or tools and then transfer these to the infected PC.

Microsoft Help and Support has provided a detailed guide to removing a Conficker infection from an affected PC, either manually or by using the Malicious Software Removal Tool (MSRT).

Read the following article using an uninfected PC:

More information about deploying MSRT in an enterprise environment can be found in the following article:

Threat behavior

Installation

Worm:Win32/Conficker.B tries to copy itself in the Windows system folder as a hidden DLL file using a random name. If it fails, it can then try to copy itself with the same parameters in the following folders:

It creates the following registry entry to ensure that its dropped copy is run every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random string>"
With data: "rundll32.exe <system folder>\<malware file name>.dll,<malware parameters>"

It can also load itself as a service that is launched when the netsvcs group is loaded by the system file svchost.exe.

It can also load itself as a fake service by registering itself under the following key:
HKLM\SYSTEM\CurrentControlSet\Services

It uses a display name that is created by combining two of the following strings:

  • Boot
  • Center
  • Config
  • Driver
  • Helper
  • Image
  • Installer
  • Manager
  • Microsoft
  • Monitor
  • Network
  • Security
  • Server
  • Shell
  • Support
  • System
  • Task
  • Time
  • Universal
  • Update
  • Windows

It can also combine random characters to create the display name.

Spreads Via...

Network shares with weak passwords

Worm:Win32/Conficker.B tries to infect PCs within the network.

It first tries to drop a copy of itself in a target PC's ADMIN share using the credentials of the currently logged-on user.

If this method is unsuccessful, for example, the current user does not have the necessary rights, it instead obtains a list of user accounts on the target PC. It then tries to connect to the target PC using each user name and the following weak passwords:

  • 00000000
  • 0000000
  • 00000
  • 0000
  • 000
  • 00
  • 0987654321
  • 0
  • 11111111
  • 1111111
  • 111111
  • 11111
  • 1111
  • 111
  • 11
  • 123123
  • 12321
  • 123321
  • 1234567890
  • 123456789
  • 12345678
  • 1234567
  • 123456
  • 12345
  • 1234
  • 1234abcd
  • 1234qwer
  • 123
  • 123abc
  • 123asd
  • 123qwe
  • 12
  • 1
  • 1q2w3e
  • 21
  • 22222222
  • 2222222
  • 222222
  • 22222
  • 2222
  • 222
  • 22
  • 2
  • 321
  • 33333333
  • 3333333
  • 333333
  • 33333
  • 3333
  • 333
  • 33
  • 3
  • 4321
  • 44444444
  • 4444444
  • 444444
  • 44444
  • 4444
  • 444
  • 44
  • 4
  • 54321
  • 55555555
  • 5555555
  • 555555
  • 55555
  • 5555
  • 555
  • 55
  • 5
  • 654321
  • 66666666
  • 6666666
  • 666666
  • 66666
  • 6666
  • 666
  • 66
  • 6
  • 7654321
  • 77777777
  • 7777777
  • 777777
  • 77777
  • 7777
  • 777
  • 77
  • 7
  • 87654321
  • 88888888
  • 8888888
  • 888888
  • 88888
  • 8888
  • 888
  • 88
  • 8
  • 987654321
  • 99999999
  • 9999999
  • 999999
  • 99999
  • 9999
  • 999
  • 99
  • 9
  • a1b2c3
  • aaa
  • aaaa
  • aaaaa
  • abc123
  • academia
  • access
  • account
  • admin123
  • admin12
  • admin1
  • Admin
  • adminadmin
  • administrator
  • anything
  • asddsa
  • asdfgh
  • asdsa
  • asdzxc
  • backup
  • boss123
  • business
  • campus
  • changeme
  • cluster
  • codename
  • codeword
  • coffee
  • PC
  • controller
  • cookie
  • customer
  • database
  • default
  • desktop
  • domain
  • example
  • exchange
  • explorer
  • file
  • files
  • foo
  • foobar
  • foofoo
  • forever
  • freedom
  • fuck
  • games
  • home123
  • home
  • ihavenopass
  • Internet
  • intranet
  • job
  • killer
  • letitbe
  • letmein
  • Login
  • lotus
  • love123
  • manager
  • market
  • money
  • monitor
  • mypass
  • mypassword
  • mypc123
  • nimda
  • nobody
  • nopass
  • nopassword
  • nothing
  • office
  • oracle
  • owner
  • pass123
  • pass12
  • pass1
  • pass
  • passwd
  • password123
  • password12
  • password1
  • Password
  • private
  • public
  • pw123
  • q1w2e3
  • qazwsx
  • qazwsxedc
  • qqq
  • qqqq
  • qqqqq
  • qwe123
  • qweasd
  • qweasdzxc
  • qweewq
  • qwerty
  • qwewq
  • root123
  • root
  • rootroot
  • sample
  • secret
  • secure
  • security
  • server
  • shadow
  • share
  • sql
  • student
  • super
  • superuser
  • supervisor
  • system
  • temp123
  • temp
  • temporary
  • temptemp
  • test123
  • test
  • testtest
  • unknown
  • web
  • windows
  • work123
  • work
  • xxx
  • xxxx
  • xxxxx
  • zxccxz
  • zxcvb
  • zxcvbn
  • zxcxz
  • zzz
  • zzzz
  • zzzzz

If Win32/Conficker.B successfully accesses the target PC, for example, if a combination of any of the user names and one of the above passwords gives the worm write privileges to the PC, it copies itself to an accessible admin share as ADMIN\System32\<random letters>.dll.

Remote scheduled job

After infecting a PC remotely, Win32/Conficker.B creates a remotely schedule job with the command rundll32.exe <malware file name>.dll,<malware parameters> to activate the copy, as shown in the images below:

Mapped and removable drives

Worm:Win32/Conficker.B can drop a copy of itself in all mapped and removable drives using a random file name. The worm creates a folder in the root of these drives named RECYCLER (in Windows XP and previous versions, the folder RECYCLER references the Recycle Bin). Next, the worm copies itself as the following:

<drive:>\RECYCLER\S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d\<random letters>.dll

Where %d is a randomly chosen letter. The worm also drops a corresponding autorun.inf file, which enables the worm copy to run if the drive is accessed and Autoplay is enabled. This autorun.inf file is detected as Worm:Win32/Conficker.B!inf.

The image below illustrates how a user could potentially launch the worm when accessing an infected share:

Note that the language in the first option suggests the user could 'Open folder to view files' however the option is under 'Install or run program', an indication that opening the folder will actually run an application. Another hint that the action is to run the worm is the text 'Publisher not specified'. The highlighted choice under 'General options' in the image above would let a user to view the share and not run the worm copy.

MS08-067 HTTP 'call back'

Worm:Win32/Conficker.B spreads to PCs that are not yet patched against a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, the worm instructs the target PC to download a copy of the worm from the host PC via HTTP protocol using the random port between 1024 and 10000 opened by the worm. The vulnerability is documented in Microsoft Security Bulletin MS08-067.

Payload

Changes system settings

Worm:Win32/Conficker.B changes system settings so that the user cannot view hidden files. It does this by changeing the following registry entry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
Sets value: "CheckedValue"
With data: "0"

It also changes the system's TCP settings to let a large number of simultaneous connections, where 0x00FFFFFE is hexadecimal and equals 16,777,214 decimal value:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Sets value: "TcpNumConnections"
With data: "0x00FFFFFE"

The worm drops a temp file to aid restarting the TCP/IP service for the change to take effect. The dropped file is detected as Trojan:WinNT/Conficker.B.

Disables TCP/IP tuning, stops and disables services

Win32/Conficker.B disables Windows Vista TCP/IP auto-tuning by running the following command:

netsh interface tcp set global autotuning=disabled

This worm stops several important services, like the following:

  • Windows Security Center Service (wscsvc) – notifies users of security settings (for example, Windows update, Firewall and AntiVirus)
  • Windows Update Auto Update Service (wuauserv)
  • Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
  • Windows Defender (WinDefend)
  • Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
  • Windows Error Reporting Service (wersvc)

Win32/Conficker.B deletes the registry key for Windows Defender, disabling it from running when the system starts.

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Deletes value: "Windows Defender"

It also disables any process that has a module name containing any of the following strings from sending network traffic or data (most of these strings are related to antivirus and security software, thus effectively disabling the products from getting signature updates, and possibly preventing users from accessing websites with these strings in the URL):

  • ahnlab
  • arcabit
  • avast
  • avira
  • castlecops
  • centralcommand
  • clamav
  • comodo
  • PCassociates
  • cpsecure
  • defender
  • drweb
  • emsisoft
  • esafe
  • eset
  • etrust
  • ewido
  • f-prot
  • f-secure
  • fortinet
  • gdata
  • grisoft
  • hacksoft
  • hauri
  • ikarus
  • jotti
  • k7computing
  • kaspersky
  • malware
  • mcafee
  • microsoft
  • networkassociates
  • nod32
  • norman
  • norton
  • panda
  • pctools
  • prevx
  • quickheal
  • rising
  • rootkit
  • securecomputing
  • sophos
  • spamhaus
  • spyware
  • sunbelt
  • symantec
  • threatexpert
  • trendmicro
  • virus
  • wilderssecurity
  • windowsupdate

Resets system restore point

Win32/Conficker.B might reset the PC's system restore point, potentially preventing recovery using System Restore.

Checks for Internet connectivity

Win32/Conficker.B checks if the system has an Internet connection by trying to connect to the following websites:

  • aol.com
  • cnn.com
  • ebay.com
  • msn.com
  • myspace.com

Downloads files

Depending on the system date, Win32/Conficker.B can build a URL to download files starting on January 1, 2009. The generated URL has a domain name that is based on the current system date. It uses one of the following top level domains:

  • .cc
  • .cn
  • .ws
  • .com
  • .net
  • .org
  • .info
  • .biz

For example, aaovt.com or aasmlhzbpqe.com.

The generated domain name is first converted to the dot notation, for example, aaovt.com might be converted to 192.168.16.0. This generated IP address is then used for the URL, according to the following pattern:

http://<pseudo-random generated IP>/search?q=%d

Some examples of the constructed URLs are as follows:

  • aaovt.com
  • aasmlhzbpqe.com
  • addgv.com
  • ajsxarj.org
  • apwzjq.ws
  • aradfkyqv.org
  • arztiwbeh.cc
  • baixumxhmks.ws
  • bfwtjrto.org
  • bfwvzxd.info
  • bmaeqlhulq.cc
  • byiiureq.cn
  • cbizghsq.cc
  • cbkenfa.org
  • ciabjhmosz.cc
  • cruutiitz.com
  • ctnlczp.org
  • ctohyudfbm.cn
  • dcopyoojw.com
  • djdgnrbacwt.ws
  • dmwemynbrmz.org
  • dofmrfqvis.cn
  • doxkknuq.org
  • dozjritemv.info
  • dyjsialozl.ws
  • eaieijqcqlv.org
  • eewxsvtkyn.net
  • eidqdorgmbr.net
  • eiqzepxacyb.cn
  • ejdmzbzzaos.biz
  • ejmxd.com
  • ejzrcqqw.net
  • ekusgwp.cc
  • eprhdsudnnh.biz
  • evmwgi.ws
  • falru.net
  • fctkztzhyr.org
  • fdkjan.net
  • fhfntt.org
  • fhspuip.biz
  • fjpzgrf.net
  • fkzdr.cn
  • ftjggny.com
  • fuimrawg.info
  • ghdokt.cn
  • glbmkbmdax.biz
  • gmhkdp.org
  • gocpopuklm.org
  • grwemw.biz
  • gtzaick.cc
  • gxzlgsoa.info
  • gypqfjho.info
  • hduyjkrouop.info
  • hfgxlzjbfka.biz
  • hkgzoi.com
  • hliteqmjyb.net
  • hmdtv.ws
  • hoyolhmnzbs.net
  • hprfux.cc
  • hqbttlqr.org
  • hueminaii.org
  • hvogkfiq.info
  • ifylodtv.ws
  • iivsjpfumd.ws
  • ilksbuv.cn
  • imuez.biz
  • izxvu.biz
  • jaumgubte.biz
  • jhbeiiizlfk.cn
  • jrdzx.cc
  • jshkqnnkeao.biz
  • judhei.com
  • jxfiysai.cc
  • jzoowlbehqn.info
  • karhhse.com
  • kbyjkjkbb.info
  • kjsxokxg.org
  • krudjhvk.org
  • kuiwtbfa.org
  • lauowjef.cn
  • lhirjymcod.net
  • liugwg.net
  • lksvlouw.ws
  • llgkuclk.info
  • lnpsesbcm.cn
  • lssvxqkqfmf.org
  • lygskbx.cc
  • mafwkeat.cn
  • mgqrrsxhnj.com
  • mhklpsbuh.cc
  • mknuzwq.cc
  • mqjkzbov.net
  • myfhc.com
  • navjrj.org
  • nbpykcdsoms.com
  • ncbeaucjxd.org
  • npfxmztnaw.cn
  • nuiptipwjj.cc
  • nvpmfnlsh.ws
  • oagwongs.ws
  • odvsz.net
  • okkpuzqck.ws
  • oqolfrjq.cn
  • orduhippw.cn
  • orpngykld.com
  • orxfq.ws
  • othobnrx.org
  • otnqqaclsgx.info
  • otukeesevg.biz
  • pbfhhhvzkp.cc
  • pbpigz.cn
  • pcnpxbg.cc
  • pdfrbmxh.biz
  • pfdthjxs.cc
  • phaems.cc
  • phetxwmjqsj.cc
  • pmanbkyshj.ws
  • pnjlx.cc
  • ppzwqcdc.cc
  • psabcdq.cc
  • ptdlwsi.cn
  • pvowgkgjmu.biz
  • pwsjbdkdewv.info
  • qbuic.com
  • qdteltj.org
  • qeotxrp.com
  • qfeqsagbjs.biz
  • qfhqgciz.org
  • qfogch.com
  • qijztpxaxk.cn
  • qlqrgqordj.ws
  • qpiivu.cn
  • qpuowsw.cc
  • qqbbg.cc
  • qrrzna.net
  • qvrgznvvwz.ws
  • qwdervbq.org
  • qwnydyb.cc
  • qzbpqbhzmp.com
  • rkfdx.org
  • rpphv.org
  • rskvraofl.info
  • ryruatsot.biz
  • sdkhznqj.info
  • sezpo.org
  • sfozmwybm.com
  • skwmyjq.org
  • solmpem.com
  • sqmsrvnjits.cc
  • stlgegbye.net
  • syryb.org
  • tdwrkv.ws
  • tfpazwas.cc
  • tigeseo.org
  • tjyhrcfxuc.cn
  • tkbyxr.ws
  • tlmncy.cn
  • tmlwmvv.ws
  • tnerivsvs.net
  • tomxoa.org
  • trpkeyqapp.net
  • tyjtkayz.com
  • uazlwwiv.org
  • ucgqvyjgpk.cn
  • uixvflbyoyi.biz
  • ujawdcoqgs.org
  • upxva.net
  • uuvjh.biz
  • uzugvbnvs.cn
  • vgmkhtux.ws
  • vjllpcucnp.cn
  • vkgxgxto.com
  • vwiualt.com
  • waxggypgu.org
  • wccckyfrtf.net
  • wfdnvlrcb.org
  • whjworuc.com
  • wmiwxt.biz
  • wohms.biz
  • wqqfbutswyf.info
  • wsdlzmpbwhj.net
  • xiclytmeger.cc
  • xkjdzqbxg.cn
  • xldbmaztfu.biz
  • xlwcv.cn
  • xqbovbdzjz.info
  • xwbubjmhinr.info
  • yfpdcquil.info
  • yfybk.ws
  • yhrpqjhp.biz
  • yoblqeruib.org
  • yoyze.cc
  • yshpve.cc
  • ysrixiwyd.com
  • ytfvksowgul.org
  • ywsrtetv.org
  • yzymygez.biz
  • zcwjkxynr.com
  • zfgufbxi.net
  • zkimm.info
  • zmoeuxuh.ws
  • zokxy.net
  • zqrsbqzhh.cc
  • zttykt.info
  • zutykstmrxq.ws

It checks the system date if it is January 1, 2009 or later. It also checks the following websites for the date, presumably for verification:

  • baidu.com
  • google.com
  • yahoo.com
  • msn.com
  • ask.com
  • w3.org
Additional Information

The name of this threat was derived by selecting fragments of the domain 'trafficconverter.biz', a string found in Worm:Win32/Conficker.A:

(fic)(con)(er) => (con)(fic)(+k)(er) => conficker

Analysis by Jireh Sanico


Symptoms

The following could indicate that you have this threat on your PC:

  • These services are disabled or fail to run in your PC:
    • Windows Update Service
    • Background Intelligent Transfer Service
    • Windows Defender
    • Windows Error Reporting Services
  • You might not be able to log in, because of the following registry change, which might flood the network with connections:
     
    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    Value: "TcpNumConnections
    With data: "0x00FFFFFE"
     
  • You might not be able to connect to websites or online services that contain the following strings:
    • virus
    • spyware
    • malware
    • rootkit
    • defender
    • microsoft
    • symantec
    • norton
    • mcafee
    • trendmicro
    • sophos
    • panda
    • etrust
    • networkassociates
    • computerassociates
    • f-secure
    • kaspersky
    • jotti
    • f-prot
    • nod32
    • eset
    • grisoft
    • drweb
    • centralcommand
    • ahnlab
    • esafe
    • avast
    • avira
    • quickheal
    • comodo
    • clamav
    • ewido
    • fortinet
    • gdata
    • hacksoft
    • hauri
    • ikarus
    • k7computing
    • norman
    • pctools
    • prevx
    • rising
    • securecomputing
    • sunbelt
    • emsisoft
    • arcabit
    • cpsecure
    • spamhaus
    • castlecops
    • threatexpert
    • wilderssecurity
    • windowsupdate

Prevention


Alert level: Severe
First detected by definition: 1.49.1183.0
Latest detected by definition: 1.175.308.0 and higher
First detected on: Dec 30, 2008
This entry was first published on: Dec 30, 2008
This entry was updated on: Apr 14, 2014

This threat is also detected as:
  • TA08-297A (other)
  • CVE-2008-4250 (other)
  • VU827267 (other)
  • Win32/Conficker.A (CA)
  • Mal/Conficker-A (Sophos)
  • Trojan.Win32.Agent.bccs (Kaspersky)
  • W32.Downadup.B (Symantec)
  • Confickr (other)