Immediate Protection Info
| Signature | Product | Removal Instructions |
|---|
31.6.6225
| CA Antivirus 2007
| |
31.6.6225
| eTrust Antivirus v7/8*
| |
7.x/6225
| eTrust EZ Antivirus 7.x
| |
31.6.6225
| Vet 7
| |
Description
Win32/Conficker.A is a worm that exploits the MS08-067 vulnerability in order to spread. It may also download and execute various files.
Back to top
Method of Infection
When executed, Win32/Conficker.A creates a copy of itself in the %System% directory with a random filename.
The worm injects its code into the "services.exe" process to keep itself memory resident and difficult to cleanup.
Win32/Conficker.A also creates a service with the following characteristics, to automatically execute on system start:
Service name: netsvcs
Path to executable: %System%\svchost.exe -k netsvcs
and adds the following registry entry:
HKLM\SYSTEM\CurrentControlSet\Services\<random filename>\Parameters\ServiceDll = "%System%\<random filename>"
Note: %System% is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; for XP and Vista is C:\Windows\System32.
Back to top
Payload
Downloads and Executes Arbitrary Files
Win32/Conficker.A checks the system date before attempting to download and execute any files.
If it is on or after 1 December 2008, the worm connects to the domain trafficconverter.biz and attempts to download and execute a file from this location:
http://trafficconverter.biz/<censored>/loadadv.exe
If it is on or after 25 November 2008, the worm attempts to access pre-computed domain names like the following:
ahayw.info
ajcminmqpeu.com
anosb.biz
aqgcurmt.net
bdfbobhuls.com
bjmqxoxbmyq.org
bszeu.info
cfcpreiwtgx.net
cpfgbuwqv.biz
cukpubgb.net
dconkp.com
dpxzsrjhsn.org
dtyqryfi.biz
dviwvh.net
dwmpveim.info
dxnlypjjxp.biz
eaguzulxdr.org
ekrohmqa.info
eoblibwqaig.info
epvzvuah.info
ethogxkt.net
euwqeixq.biz
exxcpxm.net
eyjayqmwxxo.org
ezhvnjlvuk.org
fdzwsak.net
gatkcy.org
gceqy.info
ggcnqnr.info
gkmdbporqmp.biz
gmtgpb.org
guiahproe.info
gxepchol.net
gztql.net
haqrcz.com
hkqrhqev.com
hndrijmu.org
hvxmlcc.org
idahdfyojhz.com
ipbdwihw.info
iquvtfhm.net
irhtphctgn.com
ivouyvxaf.net
jfvyipo.info
jhhwydtk.com
jjbuafs.info
jptplynb.org
jutsyu.com
kagvjo.com
kfzksydrct.org
khvdkdjnrhr.biz
ktivtbse.net
lbori.com
ltxbrwfosrg.net
mhjhb.com
mtqcpiwod.biz
nsjmewgdb.com
ntshnjyxfh.net
nxphotp.com
ocykqj.biz
oenjrcaly.net
oororgpkbp.com
ozlqvnkiq.net
palrw.org
pmotqmf.com
pvuxb.info
qffszcfgyzn.org
qfoilcqp.com
qjafgfp.net
rfduzjbztg.biz
riuvunis.info
rlbidexd.org
rntbogfz.biz
rtkrhxsp.biz
ruolomicarp.org
rxytvgkapvw.biz
safxg.net
sdxkcnzcvhd.org
shbyxebiec.biz
srsoeggve.org
tbkmloh.net
tezjm.net
tilazlfn.com
tqlxquy.org
trxho.org
uiiwmmgr.com
upyuqxpmlxt.net
vdunf.net
vtewiyny.info
vuahzmvf.biz
vweoof.org
wkjhjr.com
xehlydgan.net
xmmzcsqm.biz
xtjejduc.org
xxwoteojg.biz
xytbvkrqhu.info
ybhufq.net
yenhbrt.biz
yfczve.info
ylfamhcgn.net
ylzbgyorfy.org
ysxbkquj.info
ythekdrar.net
yudxsol.org
yzbvrteij.biz
yzpjvpkdtq.biz
zjxuw.org
zpqhr.biz
zuuroktw.biz
zzkjecmf.com
The screenshot below shows Win32/Conficker.A attempting to contact particular URLs.
Conficker also downloads a reference file from the following URL:
http://www.maxmind.com/<censored>/GeoIP.dat.gz
Backdoor Functionality
Win32/Conficker.A starts a HTTP server on the affected system by opening a random port. This allows a copy of the worm to be downloaded by target systems.
Back to top
For additional information:
Win32/Conficker.A tries to obtain the IP address of the affected system by accessing the following websites:
www.getmyip.org
getmyip.co.uk
checkip.dyndns.org
So that only one copy of the malware runs on the system, the worm also creates a mutex in the format "Global\<random numbers>-<random numbers>". For example, "Global\19048-69485".
Analysis by Zarestel Ferrer
Back to top