Follow:

 

Worm:Win32/Conficker.E


Worm:Win32/Conficker.E is a member of the Win32/Conficker family and was proactively detected when first discovered as Worm:Win32/Conficker.gen!A. Conficker.E acts as an update mechansim for previous variants of Win32/Conficker. This variant deletes its own executable on May 3 2009.
 
Microsoft strongly recommends that users apply the update referred to in  Security Bulletin MS08-067 immediately.
 
Microsoft also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords. More information is available here.
 
Microsoft also recommends that users apply an update that changes the AutoPlay functionality in Windows to prevent this worm from spreading via USB drives. More information is available in the Microsoft Knowledgebase Article KB971029 .


What to do now

Microsoft strongly recommends that users apply the update referred to in  Security Bulletin MS08-067 immediately.
 
Microsoft also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords. More information is available here .
 
Microsoft also recommends that users apply an update that changes the AutoPlay functionality in Windows to prevent this worm from spreading via USB drives. More information is available in the Microsoft Knowledgebase Article KB971029 .
 
Use the Microsoft Malicious Software Removal Tool, Microsoft Security Essentials, Microsoft Safety Scanner, or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.
 
Note: Computers infected by Conficker may be unable to connect to Web sites related to security applications and services that may otherwise assist in the removal of this worm (for example, downloading antivirus updates may fail). In this case users will need to use an uninfected computer to download any appropriate updates or tools and then transfer these to the infected computer.
 
Microsoft Help and Support have provided a detailed guide to removing a Win32/Conficker infection from an affected computer:
For detailed instructions on how to manually remove Win32/Conficker, view the following article using an uninfected computer:
http://support.microsoft.com/kb/962007 - Virus alert for Win32/Conficker and manual removal instructions

Threat behavior

Worm:Win32/Conficker.E is a member of the Win32/Conficker family and was proactively detected when first discovered as Worm:Win32/Conficker.gen!A. Conficker.E acts as an update mechansim for previous variants of Win32/Conficker. This variant deletes its own executable on May 3 2009.
Installation
Worm:Win32/Conficker.E consists of the following components:
  • .EXE executable component (detected as Worm:Win32/Conficker.E) - used to install the dropper DLL to other remote machines already infected with the .B, .C or .D Conficker variants.
  • .DLL dropper component (detected as Worm:Win32/Conficker.E.dll) - used to drop the Payload DLL
  • .DLL payload component (detected as Worm:Win32/Conficker.E.dll) - used to perform most of the worm's payload (see Payload section below for additional detail).
Payload
Utilizes exploit (MS08-067) to install update on Conficker-infected machines
Win32/Conficker.E updates systems that are already infected by Conficker and as yet unpatched against a vulnerability in the Windows Server service (srvsvc). The vulnerability is documented in Microsoft Security Bulletin MS08-067. It checks if targets are already infected by the .B, .C, or .D Conficker variants by first checking the result from the NetpwPathCanonicalize API in 'netapi32.dll'. This variant only infects hosts that are already infected with one of these previous variants.
 
If the vulnerability is successfully exploited, the Conficker.E instructs the target computer to download the dropper DLL from the host computer via HTTP protocol using a TCP port (between 1024 and 9999) opened by the worm.
 
The dropper DLL then drops and loads the payload DLL. When the payload DLL (detected as Worm:Win32/Conficker.E.dll) is loaded, it attempts to copy itself to the local machine using a filename that is constructed from a hash of the affected machine's computer name. The filename will appear as a string of 5-9 lowercase letters, with a .dll file extension - for example 'xhyngr.dll'.
 
The DLL attempts to copy itself to the following locations, in the following order:
  1. System folder (typical path: C:\Windows\System32)
  2. One of the following 4 folders under the %ProgramFiles% folder:
    "Movie Maker"
    "Internet Explorer"
    "Windows Media Player"
    "Windows NT"
  3. %Application Data% folder (typical path: C:\Documents and Settings\Username\Application Data\ )
  4. The %temp% folder
Once successfully copied to one of these locations, Worm:Win32/Conficker.E.dll does not attempt to copy itself further to the other locations.
 
Worm:Win32/Conficker.E.dll then modifies the following registry entries to ensure that it is loaded at each Windows start (for example):
Adds value: "<random alphabetic string>"
With data: "rundll32 "<malware file name> .dll",<random alphabetic string>"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
 
Adds value: "<random alphabetic string>"
With data: "rundll32 "<malware file name> .dll",<random alphabetic string>"
To subkey:HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 
The DLL component - Win32/Conficker.E.dll - patches the NetpwPathCanonicalize API in the DLL NETAPI32.DLL to prevent the vulnerability from being further exploited by other remote agents.
 
Modifies System Settings - Patches TCP/IP Driver
Win32/Conficker.E patches the TCP/IP driver 'tcpip.sys' in memory to increase and maximize the number of connections allowed (connection limit) on the infected computer. The worm uses this method of patching to bypass Windows File Protection.
 
Terminates Services
Win32/Conficker.E.dll terminates several important system services, such as the following:
  • Windows Security Center Service (wscsvc) – notifies users of security settings (e.g. Windows update, Firewall and Antivirus)
  • Windows Update Auto Update Service (wuauserv)
  • Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
  • Windows Defender (WinDefend)
  • Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
  • Windows Error Reporting Service (wersvc)
 
Terminates Processes
Win32/Conficker.E.dll polls the process list every one second for these strings and, if found, terminates the process:
 
autoruns - "Autoruns" program
avenger - kernel-mode security program
bd_rem - "bd_rem_tool_console.exe" & "bd_rem_tool_gui.exe" programs
cfremo - Enigma Software "cfremover.exe" program
confick - Presumably targeting Conficker removal tools
downad - Presumably targeting Conficker removal tools
dwndp - Symantec tool "fixdwndp.exe"
filemon - "File Monitor" program
gmer - rootkit detection program
hotfix - security update
kb890 - Microsoft KB article, includes MSRT
kb958 - Microsoft KB article, includes MS08-067
kido - taken from the name 'Kido', another 'Conficker' alias
kill - utility used to terminate other processes
klwk - Kaspersky program
mbsa. - "Microsoft Baseline Security Analyzer" program
mrt. - "Microsoft Malicious Software Removal Tool" program
mrtstub - "Microsoft Malicious Software Removal Tool" program
ms08 - Microsoft Security Updates released in 2008
ms09 - Microsoft Security Updates released in 2009
procexp - "Process Explorer" program
procmon - "Process Monitor" program
regmon - "Registry Monitor" program
scct_ - Sophos Conficker Cleanup tool
stinger - McAfee tool
sysclean - Trend Micro tool
tcpview - tool used to view TCP connection and traffic
unlocker - tool used to unlock locked files or folders
wireshark - network protocol analyzer tool
 
Blocks Access to Particular Web sites/IP Ranges
Win32/Conficker.E blocks access to domains in certain IP ranges. In addition, the worm hooks 'dnsapi.dll' to prevent access to Web sites containing the following strings in the URL:
 
activescan
adware
agnitum
ahnlab
anti-
antivir
arcabit
av-sc
avast
avgate
avira
bdtools
bothunter
castlecops
ccollomb
centralcommand
clamav
comodo
computerassociates
confick
coresecur
cpsecure
cyber-ta
defender
downad
doxpara
drweb
dslreports
emsisoft
enigma
esafe
eset
etrust
ewido
f-prot
f-secure
fortinet
free-av
freeav
fsecure
gdata
grisoft
hackerwatch
hacksoft
hauri
honey
ikarus
insecure.
iv.cs.uni
jotti
k7computing
kaspersky
kido
malware
mcafee
microsoft
mirage
mitre.
ms-mvp
msftncsi
msmvps
mtc.sri
ncircle
networkassociates
nmap.
nod32
norman
norton
onecare
panda
pctools
precisesecurity
prevx
ptsecurity
qualys
quickheal
removal
rising
rootkit
safety.live
secunia
securecomputing
secureworks
snort
sophos
spamhaus
spyware
staysafe
sunbelt
symantec
technet
tenablese
threat
threatexpert
trendmicro
trojan
virscan
virus
wilderssecurity
windowsupdate
 
Worm:Win32/Conficker.E.dll may cause browser time-outs when a user attempts to access Web sites with URLs containing any of the following strings:
 
avg.
avp.
bit9.
ca.
cert.
gmer.
kav.
llnw.
llnwd.
msdn.
msft.
nai.
sans.
vet.
 
Distributes and Receives Remote Commands Via Distributed P2P Network
Worm:Win32/Conficker.E can distribute and receive commands from other computers infected by particular Win32/Conficker variants via a built-in peer-to-peer (P2P) network. This mechanism could be used to distribute additional malware to and from infected machines.
 
To connect to other infected computers, Win32/Conficker.E opens four ports on each available network interface. It opens two TCP and two UDP ports. The port numbers of the first TCP and UDP ports are calculated based on the IP address of the network interface. The second TCP and UDP ports are calculated based on the IP address of the network interface as well as the current week, leading to this second set of ports to change on a weekly basis. In short, while the first set of ports is constant and remain open week after week, the second set changes weekly.
 
When computing for the current week, Win32/Conficker.E attempts to determine the time in GMT so that all port changes occur at the same time.
 
Both TCP listening ports behave in an identical fashion, as do both UDP listening ports. These ports are used by an infected computer to communicate with other computers also infected with Win32/Conficker.
Additional Information
Win32/Conficker.E executes a self-termination routine when the date is May 3 2009. The worm deletes its main executable component on this date. However the DLL payload component (detected as Worm:Win32/Conficker.E.dll) remains to continue participating in P2P communication among infected peers.
 
Win32/Conficker.E periodically checks for Internet connectivity by connecting to the following Web sites:
 
www.aol.com
www.cnn.com
www.ebay.com
www.msn.com
www.myspace.com
 
Win32/Conficker.E also periodically connects to one of the following sites (at random) to determine its external IP address:
 
checkip.dyndns.org
checkip.dyndns.com
www.myipaddress.com
www.findmyipaddress.com
www.ipaddressworld.com
www.findmyip.com
www.ipdragon.com
www.whatsmyipaddress.com
 
Analysis by Aaron Putnam

Symptoms

System Changes
The following system changes may indicate the presence of this malware:
  • The lack of response from, or the termination of, the following services:
    • Windows Security Center Service (wscsvc) – notifies users of security settings (e.g. Windows update, Firewall and Antivirus)
    • Windows Update Auto Update Service (wuauserv)
    • Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
    • Windows Defender (WinDefend)
    • Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
    • Windows Error Reporting Service (wersvc)
  • Users may not be able to run applications with names containing the following strings:

    autoruns
    avenger
    bd_rem
    cfremo
    confick
    downad
    dwndp
    filemon
    gmer
    hotfix
    kb890
    kb958
    kido
    kill
    klwk
    mbsa.
    mrt.
    mrtstub
    ms08
    ms09
    procexp
    procmon
    regmon
    scct_
    stinger
    sysclean
    tcpview
    unlocker
    wireshark
  • Users may not be able to browse certain security-related Web sites with URLs that contain any of the following strings:
 
    activescan
    adware
    agnitum
    ahnlab
    anti-
    antivir
    arcabit
    av-sc
    avast
    avgate
    avira
    bdtools
    bothunter
    castlecops
    ccollomb
    centralcommand
    clamav
    comodo
    computerassociates
    confick
    coresecur
    cpsecure
    cyber-ta
    defender
    downad
    doxpara
    drweb
    dslreports
    emsisoft
    enigma
    esafe
    eset
    etrust
    ewido
    f-prot
    f-secure
    fortinet
    free-av
    freeav
    fsecure
    gdata
    grisoft
    hackerwatch
    hacksoft
    hauri
    honey
    ikarus
    insecure.
    iv.cs.uni
    jotti
    k7computing
    kaspersky
    kido
    malware
    mcafee
    microsoft
    mirage
    mitre.
    ms-mvp
    msftncsi
    msmvps
    mtc.sri
    ncircle
    networkassociates
    nmap.
    nod32
    norman
    norton
    onecare
    panda
    pctools
    precisesecurity
    prevx
    ptsecurity
    qualys
    quickheal
    removal
    rising
    rootkit
    safety.live
    secunia
    securecomputing
    secureworks
    snort
    sophos
    spamhaus
    spyware
    staysafe
    sunbelt
    symantec
    technet
    tenablese
    threat
    threatexpert
    trendmicro
    trojan
    virscan
    virus
    wilderssecurity
    windowsupdate
     
  • Users may experience a Web browser time-out error when attempting to access URLs containing the following strings:

    avg.
    avp.
    bit9.
    ca.
    cert.
    gmer.
    kav.
    llnw.
    llnwd.
    msdn.
    msft.
    nai.
    sans.
    vet.

Prevention


Alert level: Severe
First detected by definition: 1.55.1418.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Apr 10, 2009
This entry was first published on: Apr 09, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Win32/Conficker.worm.119296 (AhnLab)
  • Win32.Worm.Downadup.A (BitDefender)
  • Win32/Conficker.A (CA)
  • W32/Conficker.G (Command)
  • Win32/Conficker.AQ (ESET)
  • Trojan-Dropper.Win32.Kido.o (Kaspersky)
  • Net-Worm.Win32.Kido.js (Kaspersky)
  • W32/Conficker.worm.gen.d (McAfee)
  • W32/Confick-D (Sophos)
  • W32.Downadup (Symantec)
  • Trojan.DR.Kido.CE (VirusBuster)
  • Worm:Win32/Conficker.gen!A (Microsoft)
  • Worm:Win32/Conficker.E.dll (Microsoft)