Follow:

 

Worm:Win32/Conficker.E.dll


Worm:Win32/Conficker.E.dll is a component of the Win32/Conficker family.  It is installed to machines already infected with Conficker.B, .C, or .D variants as an update via Worm:Win32/Conficker.E’s payload.
 
Microsoft strongly recommends that users apply the update referred to in  Security Bulletin MS08-067 immediately.
 
Microsoft also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords. More information is available here.
 
Microsoft also recommends that users apply an update that changes the AutoPlay functionality in Windows to prevent this worm from spreading via USB drives. More information is available in the Microsoft Knowledgebase Article KB971029.


What to do now

Microsoft strongly recommends that users apply the update referred to in  Security Bulletin MS08-067 immediately.
 
Microsoft also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords. More information is available here.
 
Microsoft also recommends that users apply an update that changes the AutoPlay functionality in Windows to prevent this worm from spreading via USB drives. More information is available in the Microsoft Knowledgebase Article KB971029.
 
To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.
 
Note: Computers infected by Conficker may be unable to connect to Web sites related to security applications and services that may otherwise assist in the removal of this worm (for example, downloading antivirus updates may fail). In this case users will need to use an uninfected computer to download any appropriate updates or tools and then transfer these to the infected computer.
 
Microsoft Help and Support have provided a detailed guide to removing a Win32/Conficker infection from an affected computer.
For detailed instructions on how to manually remove Win32/Conficker, view the following article using an uninfected computer:
http://support.microsoft.com/kb/962007 - Virus alert for Win32/Conficker and manual removal instructions
 

Threat behavior

Worm:Win32/Conficker.E.dll is a component of the Win32/Conficker family.  It is installed to machines already infected with Conficker.B, .C, or .D variants as an update via Worm:Win32/Conficker.E’s payload.
Installation
Win32/Conficker.E.dll is delivered by Worm:Win32/Conficker.E to systems that are already infected by Conficker and as yet unpatched against a vulnerability in the Windows Server service (srvsvc). The vulnerability is documented in Microsoft Security Bulletin MS08-067.
 
Worm:Win32/Conficker.E checks if targets are already infected by the .B, .C or .D Conficker variants by first checking the result from the API NetpwPathCanonicalize in 'netapi32.dll'. If the target is already infected, and the vulnerability is successfully exploited, Worm:Win32/Conficker.E instructs the target computer to download a dropper DLL (also detected as Worm:Win32/Conficker.E.dll) from the host computer via HTTP protocol using a TCP port (between 1024 and 9999) opened by the worm.
 
The dropper DLL then drops and loads the second DLL (detected as Worm:Win32/Conficker.E.dll).
 
When this second DLL is loaded, it attempts to copy itself to the local machine using a file name that is constructed from a hash of the affected machine's computer name. The file name appears as a string of 5-9 lowercase letters, with a .dll file extension - for example 'xhyngr.dll'.
 
The DLL attempts to copy itself to the following locations, in the following order:
  1. System folder (typical path: C:\Windows\System32)
  2. One of the following 4 folders under the %ProgramFiles% folder:
    "Movie Maker"
    "Internet Explorer"
    "Windows Media Player"
    "Windows NT"
  3. %Application Data% folder (typical path: C:\Documents and Settings\Username\Application Data\)
  4. The %temp% folder
 
Once successfully copied to one of these locations, Worm:Win32/Conficker.E.dll does not attempt to copy itself further to the other locations.
 
Worm:Win32/Conficker.E.dll then modifies the following registry entries to ensure that it is loaded at each Windows start (for example):
Adds value: "<random alphabetic string>"
With data: "rundll32 "<malware file name> .dll",<random alphabetic string>"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
 
Adds value: "<random alphabetic string>"
With data: "rundll32 "<malware file name> .dll",<random alphabetic string>"
To subkey:HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 
Win32/Conficker.E.dll also patches the NetpwPathCanonicalize API in the file 'netapi32.dll' to prevent the vulnerability from being further exploited by other remote agents.
Payload
Terminates Services
Win32/Conficker.E.dll terminates several important system services, such as the following:
  • Windows Security Center Service (wscsvc) – notifies users of security settings (e.g. Windows update, Firewall and Antivirus)
  • Windows Update Auto Update Service (wuauserv)
  • Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
  • Windows Defender (WinDefend)
  • Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
  • Windows Error Reporting Service (wersvc)
Terminates Processes
Win32/Conficker.E.dll polls the process list every one second for these strings and, if found, terminates them:
 
autoruns - "Autoruns" program
avenger - kernel-mode security program
bd_rem - "bd_rem_tool_console.exe" & "bd_rem_tool_gui.exe" programs
cfremo - Enigma Software "cfremover.exe" program
confick - Presumably targeting Conficker removal tools
downad - Presumably targeting Conficker removal tools
dwndp - Symantec tool "fixdwndp.exe"
filemon - "File Monitor" program
gmer - rootkit detection program
hotfix - security update
kb890 - Microsoft KB article, includes MSRT
kb958 - Microsoft KB article, includes MS08-067
kido - taken from the name 'Kido', another 'Conficker' alias
kill - utility used to terminate other processes
klwk - Kaspersky program
mbsa. - "Microsoft Baseline Security Analyzer" program
mrt. - "Microsoft Malicious Software Removal Tool" program
mrtstub - "Microsoft Malicious Software Removal Tool" program
ms08 - Microsoft Security Updates released in 2008
ms09 - Microsoft Security Updates released in 2009
procexp - "Process Explorer" program
procmon - "Process Monitor" program
regmon - "Registry Monitor" program
scct_ - Sophos Conficker Cleanup tool
stinger - McAfee tool
sysclean - Trend Micro tool
tcpview - tool used to view TCP connection and traffic
unlocker - tool used to unlock locked files or folders
wireshark - network protocol analyzer tool
 
Blocks Access to Particular Web sites/IP Ranges
Win32/Conficker.E.dll blocks access to domains in certain IP ranges. In addition, the worm hooks 'dnsapi.dll' to prevent access to Web sites containing the following strings in the URL:
 
activescan
adware
agnitum
ahnlab
anti-
antivir
arcabit
av-sc
avast
avgate
avira
bdtools
bothunter
castlecops
ccollomb
centralcommand
clamav
comodo
computerassociates
confick
coresecur
cpsecure
cyber-ta
defender
downad
doxpara
drweb
dslreports
emsisoft
enigma
esafe
eset
etrust
ewido
f-prot
f-secure
fortinet
free-av
freeav
fsecure
gdata
grisoft
hackerwatch
hacksoft
hauri
honey
ikarus
insecure.
iv.cs.uni
jotti
k7computing
kaspersky
kido
malware
mcafee
microsoft
mirage
mitre.
ms-mvp
msftncsi
msmvps
mtc.sri
ncircle
networkassociates
nmap.
nod32
norman
norton
onecare
panda
pctools
precisesecurity
prevx
ptsecurity
qualys
quickheal
removal
rising
rootkit
safety.live
secunia
securecomputing
secureworks
snort
sophos
spamhaus
spyware
staysafe
sunbelt
symantec
technet
tenablese
threat
threatexpert
trendmicro
trojan
virscan
virus
wilderssecurity
windowsupdate
 
Worm:Win32/Conficker.E.dll may cause browser time-outs when a user attempts to access Web sites with URLs containing any of the following strings:
 
avg.
avp.
bit9.
ca.
cert.
gmer.
kav.
llnw.
llnwd.
msdn.
msft.
nai.
sans.
vet.
 
Distributes and Receives Remote Commands Via Distributed P2P Network
Worm:Win32/Conficker.E.dll can distribute and receive commands from other computers infected by particular Win32/Conficker variants via a built-in peer-to-peer (P2P) network. This mechanism could be used to distribute additional malware to and from infected machines.
 
To connect to other infected computers, Win32/Conficker.E.dll opens four ports on each available network interface. It opens two TCP and two UDP ports. The port numbers of the first TCP and UDP ports are calculated based on the IP address of the network interface. The second TCP and UDP ports are calculated based on the IP address of the network interface as well as the current week, leading to this second set of ports to change on a weekly basis. In short, while the first set of ports is constant and remain open week after week, the second set changes weekly.
 
When computing for the current week, Win32/Conficker.E.dll attempts to determine the time in GMT so that all port changes occur at the same time.
 
Both TCP listening ports behave in an identical fashion, as do both UDP listening ports. These ports are used by an infected computer to communicate with other computers also infected with Win32/Conficker.
 
Analysis by Aaron Putnam

Symptoms

System Changes
The following system changes may indicate the presence of this malware:
  • The lack of response from, or the termination of, the following services:
    • Windows Security Center Service (wscsvc) – notifies users of security settings (e.g. Windows update, Firewall and Antivirus)
    • Windows Update Auto Update Service (wuauserv)
    • Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
    • Windows Defender (WinDefend)
    • Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
    • Windows Error Reporting Service (wersvc)
  • Users may not be able to run applications containing the following strings:

    autoruns
    avenger
    bd_rem
    cfremo
    confick
    downad
    dwndp
    filemon
    gmer
    hotfix
    kb890
    kb958
    kido
    kill
    klwk
    mbsa.
    mrt.
    mrtstub
    ms08
    ms09
    procexp
    procmon
    regmon
    scct_
    stinger
    sysclean
    tcpview
    unlocker
    wireshark
  • Users may not be able to browse certain security-related Web sites with URLs that contain any of the following strings:

    activescan
    adware
    agnitum
    ahnlab
    anti-
    antivir
    arcabit
    av-sc
    avast
    avgate
    avira
    bdtools
    bothunter
    castlecops
    ccollomb
    centralcommand
    clamav
    comodo
    computerassociates
    confick
    coresecur
    cpsecure
    cyber-ta
    defender
    downad
    doxpara
    drweb
    dslreports
    emsisoft
    enigma
    esafe
    eset
    etrust
    ewido
    f-prot
    f-secure
    fortinet
    free-av
    freeav
    fsecure
    gdata
    grisoft
    hackerwatch
    hacksoft
    hauri
    honey
    ikarus
    insecure.
    iv.cs.uni
    jotti
    k7computing
    kaspersky
    kido
    malware
    mcafee
    microsoft
    mirage
    mitre.
    ms-mvp
    msftncsi
    msmvps
    mtc.sri
    ncircle
    networkassociates
    nmap.
    nod32
    norman
    norton
    onecare
    panda
    pctools
    precisesecurity
    prevx
    ptsecurity
    qualys
    quickheal
    removal
    rising
    rootkit
    safety.live
    secunia
    securecomputing
    secureworks
    snort
    sophos
    spamhaus
    spyware
    staysafe
    sunbelt
    symantec
    technet
    tenablese
    threat
    threatexpert
    trendmicro
    trojan
    virscan
    virus
    wilderssecurity
    windowsupdate
  • Users may experience a Web browser time-out error when attempting to access URLs containing the following strings:

    avg.
    avp.
    bit9.
    ca.
    cert.
    gmer.
    kav.
    llnw.
    llnwd.
    msdn.
    msft.
    nai.
    sans.
    vet.

Prevention


Alert level: Severe
First detected by definition: 1.55.1418.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Apr 10, 2009
This entry was first published on: May 12, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Win32/Downadup.worm.87040 (AhnLab)
  • Trojan-Downloader.Win32.Kido.ab (Kaspersky)
  • W32/Malware.GFFJ (Norman)
  • Troj/ConfDr-C (Sophos)
  • Win32/Conficer.AQ (ESET)
  • Win32/Conficker.D (other)
  • W32.Downadup.C (Symantec)