Follow:

 

Worm:Win32/Conficker.A


Worm:Win32/Conficker.A is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled.
 
Microsoft strongly recommends that users apply the update referred to in  Security Bulletin MS08-067 immediately.
 
Microsoft also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords. More information is available here.
 
Microsoft also recommends that users apply an update that changes the AutoPlay functionality in Windows to prevent this worm from spreading via USB drives. More information is available in the Microsoft Knowledgebase Article KB971029.


What to do now

Microsoft strongly recommends that users apply the update referred to in  Security Bulletin MS08-067 immediately.
 
Microsoft also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords. More information is available here .
 
Microsoft also recommends that users apply an update that changes the AutoPlay functionality in Windows to prevent this worm from spreading via USB drives. More information is available in the Microsoft Knowledgebase Article KB971029 .
 
To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.
 
Note: Computers infected by Conficker may be unable to connect to web sites related to security applications and services that may otherwise assist in the removal of this worm (for example, downloading antivirus updates may fail). In this case users will need to use an uninfected computer in order to download any appropriate updates or tools and then transfer these to the infected computer.
 
Microsoft Help and Support have provided a detailed guide to removing Win32/Conficker infection from an affected computer, either manually or by using the MSRT (Malicious Software Removal Tool).
 
For detailed instructions on how to manually remove Win32/Conficker, view the following article using an uninfected computer:
http://support.microsoft.com/kb/962007 - Virus alert for Win32/Conficker and manual removal instructions
 
Additional information on deploying MSRT in an enterprise environment can be found here:
http://support.microsoft.com/kb/891716 - Deployment of MSRT in an enterprise environment

Threat behavior

Worm:Win32/Conficker.A is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled.
 
Installation
This worm searches for the Windows executable 'services.exe' and will inject itself into it.
This worm copies itself to the Windows system folder as <random>.dll where <random> is a 5-8 character lowercase alphabetic name such as 'nxyme.dll'.
 
The worm adjusts the file time of the dropped DLL worm copy to the same as the system's kernel32.dll file time to mask forensic evidence of infection time. The registry is modified to execute the dropped DLL worm copy as a service.
 
Adds value: "DisplayName"
With data: "0"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\vcdrlxeu
 
Adds value: "ServiceDll"
With data: "<system folder>\nxyme.dll"
To subkey: HKLM\SYSTEM\ControlSet001\Services\vcdrlxeu\Parameters
 
Once a machine has been infected the worm will patch the exploited function via a simple code hook in order to prevent re-infecting a machine it has already compromised. The worm opens and listens for connection attempts on a randomly chosen port between 1024 and 10000 and bypasses Windows firewall using APIs. The worm also stops the Internet connection sharing service.
 
Spreads Via…
Networked Computers
Win32/Conficker.A copies itself into memory and begins propagating to random IP addresses across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, the worm instructs the target computer to download a copy of the worm from the host computer via HTTP protocol using the random port opened by the worm.
 
The worm uses the following URLs to determine the computer's geographic location:
 
getmyip.org
getmyip.co.uk
checkip.dyndns.org
 
Win32/Conficker.A avoids infecting Ukrainian located computers.
 
Payload
Creates HTTP Server
The worm opens a random port between 1024 and 10000 and acts like a web server (HTTP server). If the remote machine is exploited successfully, the victim will connect back to the http server and download a worm copy.
 
Resets System Restore Point
The worm may call an API function to reset the computer's system restore point, potentially defeating recovery using system restore.
 
Downloads Files
If the date is after November 25, 2008, this worm will build a URL in the following format and attempt to download a file from it:
 
<random ip?>/search?q=%d&aq=7
 
If the date is after December 1, 2008 Win32/Conficker.A will attempt to download a file 'loadadv.exe' from the domain 'trafficconverter.biz'.
 
Additional Information
The name of this threat was derived by selecting fragments of the domain 'trafficconverter.biz', a string found in Worm:Win32/Conficker.A:
 
(fic)(con)(er) => (con)(fic)(+k)(er) => conficker
 
Analysis by Joshua Phillips

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).

Prevention


Alert level: Severe
First detected by definition: 1.47.667.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Nov 22, 2008
This entry was first published on: Nov 24, 2008
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • TA08-297A (other)
  • CVE-2008-4250 (other)
  • VU827267 (other)
  • Win32/Conficker.worm.62976 (AhnLab)
  • Trojan.Downloader.JLIW (BitDefender)
  • Win32/Conficker.A (CA)
  • Win32/Conficker.A (ESET)
  • Trojan-Downloader.Win32.Agent.aqfw (Kaspersky)
  • W32/Conficker.worm (McAfee)
  • W32/Conficker.E (Norman)
  • W32/Confick-A (Sophos)
  • W32.Downadup (Symantec)
  • Trojan.Disken.B (VirusBuster)