Follow:

 

Worm:Win32/Conficker.D


Microsoft security software detects and removes this threat.

This worm can stop some security products from working properly, such as your antivirus software.

It spreads using peer-to-peer (P2P) connections to infect any PC on your network. It can also infect removable drives (such as USB flash drives), and exploit weak passwords.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Important recovery steps

Microsoft Help and Support has a detailed guide to removing a Conficker infection from an affected computer, either manually or by using the Malicious Software Removal Tool (MSRT).

For detailed instructions on how to manually remove Conficker, view the following article using an uninfected PC:

If your computer is infected by Conficker, it might not be unable to connect to websites related to security applications and services that can help remove it (for example, downloading antivirus updates may fail). In this case you will need to use an uninfected computer to download any appropriate updates or tools and then transfer these to the infected computer. You should also:

More information about deploying MSRT in an enterprise environment can be found in the following article:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

 

 

 

Threat behavior

This is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (svchost.exe). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.
Installation
This threat attempts to copy itself in the Windows system folder as a hidden DLL file using a random name. If the attempt fails, it may then attempt to copy itself into the following folders:

It creates the following registry entry to ensure that it is run whenever you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random string>"
With data: "rundll32.exe<system folder>\<malware file name>.dll,<malware parameters>"

It may also load itself as a service that is launched when the netsvcs group is loaded by the system file svchost.exe by adding the generated service to the default list of services found in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs.

The service name it uses under the netsvcs group is generated by randomly picking and combining two phrases from each of the following lists:

List 1:
  • App
  • Audio
  • DM
  • ER
  • Event
  • help
  • Ias
  • Ir
  • Lanman
  • Net
  • Ntms
  • Ras
  • Remote
  • Sec
  • SR
  • Tapi
  • Trk
  • W32
  • win
  • Wmdm
  • Wmi
  • wsc
  • wuau
  • xml
List 2:
  • access
  • agent
  • auto
  • logon
  • man
  • mgmt
  • mon
  • prov
  • serv
  • Server
  • Service
  • Srv
  • srv
  • Svc
  • svc
  • System
  • Time  
 
It can also load itself as a fake service by registering itself under the registry key HKLM\SYSTEM\CurrentControlSet\Services.

It can use a display name that is created by combining two of the following strings:

  • Boot
  • Center
  • Config
  • Driver
  • Helper
  • Image
  • Installer
  • Manager
  • Microsoft
  • Monitor
  • Network
  • Security
  • Server
  • Shell
  • Support
  • System
  • Task
  • Time
  • Universal
  • Update
  • Windows

It may also combine random characters to create the display name.

Payload

Ends services

This worm ends several important system services, such as the following:

  • Windows Security Center Service (wscsvc) – notifies you of security settings (for example, Windows update, Firewall and Antivirus)
  • Windows Update Auto Update Service (wuauserv)
  • Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
  • Windows Defender (WinDefend)
  • Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
  • Windows Error Reporting Service (wersvc)

Deletes registry values

Win32/Conficker.D deletes registry values for Windows Defender, Windows Security Center (WSC) and the Windows safe mode services list.

  • Deleting this value prevents Windows Defender from launching at Windows start:
    Deletes value: "Windows Defender"
    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • Deleting this value prevents WSC notifications or alerts from being displayed if the firewall or security programs are disabled (by the worm):
    Deletes value: {FD6905CE-952F-41F1-9A6F-135D9C6622CC}
    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects
  • Deleting this value removes the list of services that execute if Windows is started in safe mode:
    Deletes value: SafeBoot
    In subkey: HKLM\SYSTEM\CurrentControlSet\Control

Terminates processes

Win32/Conficker.D polls the process list every one second for these strings and, if found, ends them: 

  • autoruns - "Autoruns" program
  • avenger - kernel-mode security program
  • bd_rem - "bd_rem_tool_console.exe" & "bd_rem_tool_gui.exe" programs
  • cfremo - Enigma Software "cfremover.exe" program
  • confick - taken from the name "Conficker"
  • downad - taken from the name '"Downadup" alias of Conficker
  • filemon - "File Monitor" program
  • gmer - rootkit detection program
  • hotfix - security update
  • kb890 - Microsoft KB article, includes MSRT
  • kb958 - Microsoft KB article, includes MS08-067
  • kido - taken from the name "Kido", another "Conficker" alias
  • kill - utility used to end other processes
  • klwk - Kaspersky program
  • mbsa. - "Microsoft Baseline Security Analyzer" program
  • mrt. - "Microsoft Malicious Software Removal Tool" program
  • mrtstub - "Microsoft Malicious Software Removal Tool" program
  • ms08-06 - Microsoft Security Update MS08-067
  • procexp - "Process Explorer" program
  • procmon - "Process Monitor" program
  • regmon - "Registry Monitor" program
  • scct_ - Sophos Conficker Cleanup tool
  • stinger - McAfee tool
  • sysclean - Trend Micro tool
  • tcpview - tool used to view TCP connection and traffic
  • unlocker - tool used to unlock locked files or folders
  • wireshark - network protocol analyzer tool

Blocks access to web sites

Win32/Conficker.D hooks DNSAPI.DLL to prevent access to websites containing the following strings in the URL:

  • activescan
  • adware
  • agnitum
  • ahnlab
  • anti-
  • antivir
  • arcabit
  • avast
  • avgate
  • avira
  • av-sc*
  • bdtools*
  • bothunter
  • castlecops
  • ccollomb
  • centralcommand
  • clamav
  • comodo
  • computerassociates
  • conficker
  • cpsecure
  • cyber-ta
  • defender
  • downad
  • drweb
  • dslreports
  • emsisoft
  • esafe
  • eset
  • etrust
  • ewido
  • fortinet
  • f-prot
  • freeav
  • free-av
  • f-secure
  • gdata
  • grisoft
  • hackerwatch
  • hacksoft
  • hauri
  • ikarus
  • jotti
  • k7computing
  • kaspersky
  • kido
  • malware
  • mcafee
  • microsoft
  • mirage
  • mitre*
  • msftncsi
  • ms-mvp*
  • msmvps
  • mtc.sri
  • networkassociates
  • nod32
  • norman
  • norton
  • onecare
  • panda
  • pctools
  • precisesecurity
  • prevx
  • ptsecurity
  • quickheal
  • removal
  • rising
  • rootkit
  • safety.live
  • securecomputing
  • secureworks
  • sophos
  • spamhaus
  • spyware
  • sunbelt
  • symantec
  • technet
  • threat
  • threatexpert
  • trendmicro
  • trojan
  • virscan
  • virus
  • wilderssecurity
  • windowsupdate

Win32/Conficker.D may cause browser time-outs when you try to access websites with URLs containing any of the following strings:

  • avg.
  • avp.
  • bit9.
  • ca.
  • cert.
  • gmer.
  • kav.
  • llnw.
  • llnwd.
  • msdn.
  • msft.
  • nai.
  • sans.
  • vet.

Downloads files

Win32/Conficker.D obtains the current date/time from the following Web servers:

  • ask.com
  • baidu.com
  • facebook.com
  • google.com
  • imageshack.us
  • rapidshare.com
  • w3.org
  • yahoo.com

Once a day, Win32/Conficker.D may build one of 50,000 URLs to download files starting on April 1, 2009. The worm uses one of the following top-level domains from over 100 different countries, and only visits 500 of the generated URLs within a 24-hour period:

  • .ac
  • .ae
  • .ag
  • .am
  • .as
  • .at
  • .be
  • .bo
  • .bz
  • .ca
  • .cd
  • .ch
  • .cl
  • .cn
  • .co.cr
  • .co.id
  • .co.il
  • .co.ke
  • .co.kr
  • .co.nz
  • .co.ug
  • .co.uk
  • .co.vi
  • .co.za
  • .com.ag
  • .com.ai
  • .com.ar
  • .com.bo
  • .com.br
  • .com.bs
  • .com.co
  • .com.do
  • .com.fj
  • .com.gh
  • .com.gl
  • .com.gt
  • .com.hn
  • .com.jm
  • .com.ki
  • .com.lc
  • .com.mt
  • .com.mx
  • .com.ng
  • .com.ni
  • .com.pa
  • .com.pe
  • .com.pr
  • .com.pt
  • .com.py
  • .com.sv
  • .com.tr
  • .com.tt
  • .com.tw
  • .com.ua
  • .com.uy
  • .com.ve
  • .cx
  • .cz
  • .dj
  • .dk
  • .dm
  • .ec
  • .es
  • .fm
  • .fr
  • .gd
  • .gr
  • .gs
  • .gy
  • .hk
  • .hn
  • .ht
  • .hu
  • .ie
  • .im
  • .in
  • .ir
  • .is
  • .kn
  • .kz
  • .la
  • .lc
  • .li
  • .lu
  • .lv
  • .ly
  • .md
  • .me
  • .mn
  • .ms
  • .mu
  • .mw
  • .my
  • .nf
  • .nl
  • .no
  • .pe
  • .pk
  • .pl
  • .ps
  • .ro
  • .ru
  • .sc
  • .sg
  • .sh
  • .sk
  • .su
  • .tc
  • .tj
  • .tl
  • .tn
  • .to
  • .tw
  • .us
  • .vc
  • .vn

The generated domain name is first converted to decimal or "dot" notation, for example, aaovt.com may be converted to 192.168.16.0.  

After a successful download from a generated URL, Win32/Conficker.D lays dormant for four days before resuming URL monitoring again.

Connects to other infected PCs via P2P network

Win32/Conficker.D can distribute and receive commands from other computers infected with Conficker.D via a built-in peer-to-peer (P2P) network. This mechanism could be used to distribute additional malware to and from infected machines.

To connect to other infected computers, Win32/Conficker.D opens four ports on each available network interface. It opens two TCP and two UDP ports. The port numbers of the first TCP and UDP ports are calculated based on the IP address of the network interface. The second TCP and UDP ports are calculated based on the IP address of the network interface as well as the current week, leading to this second set of ports to change on a weekly basis.  

When calculating a port for the current week, Win32/Conficker.D attempts to determine the time in GMT so that all port changes occur at the same time.

Additional Information

The following are example SHA1 hash details for known Win32/Conficker.D versions:

  • 97256A110C2D1910278F057034B5716448DC04E8
  • 76B9A3D03A095B7841A0317FE8A6EAF74472E195

Analysis by Vincent Tiu, Aaron Putnam, and Jireh Sanico


Symptoms

The following could indicate that you have this threat on your PC:

  • The following services are disabled or don't work:
    • Windows Security Center Service (wscsvc) – notifies users of security settings (for example, Windows update, Firewall and Antivirus)
    • Windows Update Auto Update Service (wuauserv)
    • Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
    • Windows Defender (WinDefend)
    • Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
    • Windows Error Reporting Service (wersvc)
  • You may have trouble visiting some websites related to antivirus software, security software, and updates

Prevention


Alert level: Severe
First detected by definition: 1.53.197.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Mar 07, 2009
This entry was first published on: Mar 07, 2009
This entry was updated on: Jun 30, 2014

This threat is also detected as:
  • Win32/Conficker.worm.88064 (AhnLab)
  • Win32.Worm.Downadup.Gen (BitDefender)
  • Win32/Conficker.C (CA)
  • Win32/Conficker.X (ESET)
  • Trojan.Win32.Pakes.ngs (Kaspersky)
  • W32/Conficker.worm.gen.c (McAfee)
  • W32/Conficker.D.worm (Panda)
  • W32/Confick-G (Sophos)
  • W32.Downadup.C (Symantec)