Immediate Protection Info
| Signature | Product | Removal Instructions |
|---|
31.6.6288
| CA Antivirus 2007
| |
31.6.6288
| eTrust Antivirus v7/8*
| |
7.x/6288
| eTrust EZ Antivirus 7.x
| |
31.6.6288
| Vet 7
| |
Description
Win32/Conficker.B is a worm that propagates via removable drives, via network shares, and by exploiting a vulnerability in Windows Server Service, known as MS08-067. The worm disables security services, blocks access to security related websites and opens the affected system to outside attacks. It also attempts to prevent its removal by utilizing the access control list to lock its executable on the compromised system.
Back to top
Method of Infection
When executed, Win32/Conficker.B drops copies of itself in the following locations:
%Program Files%\Movie Maker\<random filename>.dll
%Program Files%\Internet Explorer\<random filename>.dll
%System%\<random filename>.dll
%Documents and Settings%\<username>\Application Data\<random filename>.dll
%Temp%\<random filename>.dll
An example random filename might be "vpsqqhaf.dll":
Note: %System%, %Program Files%, %Documents and Settings% and %Temp% are variable locations. The malware determines the locations of these folders by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; for XP and Vista is C:\Windows\System32. A typical location for the Program Files folder would be C:\Program Files. A typical location for the Documents and Settings folder is C:\Documents and Settings. A typical path for the Temp folder is C:\Documents and Settings\<username>\Local Settings\Temp, or C:\WINDOWS\TEMP.
Conficker.B drops the file "<random number>.tmp" (technically a SYS file) in the %System% directory. For example, the filename might be "04.tmp" or "06.tmp". After using the file, Conficker deletes it.
Win32/Conficker.B also creates a service with the following characteristics, to automatically execute on system start:
Service name: "<random filename>"
Path to executable: %System%\svchost.exe -k netsvcs
and adds the following registry entry:
HKLM\SYSTEM\CurrentControlSet\Services\<random filename>\Parameters\ServiceDll = "%System%\<random filename>"
It may also use a combination of the following strings as device description of the service:
Center
Config
Driver
Helper
Image
Installer
Manager
Microsoft
Monitor
Network
Security
Server
Shell
Support
System
Universal
Update
Windows
Back to top
Method of Distribution
Via Removable Drives
Win32/Conficker.B spreads via removable drives and network-mapped drives. It saves a hidden copy of its executable to "<drive>\RECYCLER\S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d\<random filename and extension >" in the root directory of the located drive, where %d is a decimal number. For example, the worm may copy itself to "F:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx":
It also creates the file "autorun.inf" which automatically runs the worm executable when the drive is next accessed:
Via Network Shares
Win32/Conficker.B also attempts to propagate via Windows file sharing.
It tries to gain access to any available network share (IP\ADMIN$\system32) by attempting to guess the administrator's password. It uses a dictionary attack containing the following strings:
00000
0000000
00000000
0987654321
11111
111111
1111111
11111111
123123
12321
123321
12345
123456
1234567
12345678
123456789
1234567890
1234abcd
1234qwer
123abc
123asd
123qwe
1q2w3e
22222
222222
2222222
22222222
33333
333333
3333333
33333333
44444
444444
4444444
44444444
54321
55555
555555
5555555
55555555
654321
66666
666666
6666666
66666666
7654321
77777
777777
7777777
77777777
87654321
88888
888888
8888888
88888888
987654321
99999
999999
9999999
99999999
Admin
Internet
Login
Password
a1b2c3
aaaaa
abc123
academia
access
account
admin
admin1
admin12
admin123
adminadmin
administrator
anything
asddsa
asdfgh
asdsa
asdzxc
backup
boss123
business
campus
changeme
cluster
codename
codeword
coffee
computer
controller
cookie
customer
database
default
desktop
domain
example
exchange
explorer
files
foobar
foofoo
forever
freedom
games
home123
ihavenopass
internet
intranet
killer
letitbe
letmein
login
lotus
love123
manager
market
money
monitor
mypass
mypassword
mypc123
nimda
nobody
nopass
nopassword
nothing
office
oracle
owner
pass1
pass12
pass123
passwd
password
password1
password12
password123
private
public
pw123
q1w2e3
qazwsx
qazwsxedc
qqqqq
qwe123
qweasd
qweasdzxc
qweewq
qwerty
qwewq
root123
rootroot
sample
secret
secure
security
server
shadow
share
student
super
superuser
supervisor
system
temp123
temporary
temptemp
test123
testtest
unknown
windows
work123
xxxxx
zxccxz
zxcvb
zxcvbn
zxcxz
zzzzz
If successful, the worm drops a copy of itself in the shared directory using a variable filename. It then tries to add a scheduled job to run this copy on the newly compromised system:
The image below shows the properties of a scheduled job created by Win32/Conficker.B. The worm creates a file with a random filename, and uses the executable "rundll32.exe" to execute the file with the run command "rundll32.exe <random filename and extension>,<random characters>" - for example, "rundll32.exe yruhz.jeo,goberhx".
Via Exploit
Win32/Conficker.B attempts to exploit MS08-067, the Microsoft Server Service vulnerability, in order to propagate. The screenshot below shows Conficker.B attempting to establish a connection with a target system, then sending malformed RPC packets to the target, hoping it has a vulnerable Windows Server Service. The MS08-067 vulnerability specifically exists on Server Service Remote Procedure Call (RPC) handling, where an attacker could perform a stacked-based buffer overflow by sending a request to a vulnerable function, "
NetPathCanonicalize()".
For more information on the MS08-067 vulnerability, please see our Vulnerability Encyclopedia and the relevant Microsoft Security Bulletin:
http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=36809
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
Back to top
Payload
Stops and Disables Services
Win32/Conficker.B disables the following services:
- wscsvc - Security Center
- wuauserv - Automatic updates
- BITS - Background Intelligent Transfer Service
- WinDefend - Windows Defender
- ERSvc - Error Reporting Service
- WerSvc - Windows Error Reporting Service
It does this by setting the following registry entries:
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\Start = "4"
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Start = "4"
HKLM\SYSTEM\CurrentControlSet\Services\BITS\Start = "4"
HKLM\SYSTEM\CurrentControlSet\Services\WinDefend\Start = "4"
HKLM\SYSTEM\CurrentControlSet\Services\ERSvc\Start = "4"
HKLM\SYSTEM\CurrentControlSet\Services\WerSvc\Start = "4"
Disables Security Notifications
The worm deletes the following registry entry which deactivates Windows Security Center notifications:
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
Blocks Access to Websites
Win32/Conficker.B attempts to block running applications from accessing websites that contain any of the following strings in the URL:
Ccert.
sans.
bit9.
windowsupdate
wilderssecurity
threatexpert
castlecops
spamhaus
cpsecure
arcabit
emsisoft
sunbelt
securecomputing
rising
prevx
pctools
norman
k7computing
ikarus
hauri
hacksoft
gdata
fortinet
ewido
clamav
comodo
quickheal
avira
avast
esafe
ahnlab
centralcommand
drweb
grisoft
nod32
f'prot
jotti
kaspersky
f'secure
computerassociates
networkassociates
etrust
panda
sophos
trendmicro
mcafee
norton
symantec
microsoft
defender
rootkit
malware
spyware
virus
This prevents anti-malware programs from downloading vital signature updates, and the user from accessing security websites.
Modifies System Settings
Win32/Conficker.B executes the following command on the affected system if the operating system is Windows Vista or Windows Server 2008:
netsh interface tcp set global autotuning=disabled
This disables Windows auto-tuning.
Win32/Conficker.B sets the following registry entry to allow multiple simultaneuos connections on the affected system:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpNumConnections = 0x00FFFFFE
Downloads and Executes Arbitrary Files
Win32/Conficker.B checks the system date before attempting to download and execute any files.
If it is on or after 1 January 2009, the worm attempts to access pre-computed domain names like the following:
cbchyttgqay.biz
cqazvyszh.com
dicgdsp.org
dzxecapiw.info
epwqbyya.com
fogzchqe.org
gkenjj.biz
iwtrubh.biz
jvikldgo.net
kcgxgnny.net
lyhivgkd.org
mefenydz.com
mfqal.net
nprzq.biz
ojzarbw.net
rheni.org
syqxvsid.com
tyoxnaqjrlu.org
ukdikl.org
uqruninkqca.net
uzapl.com
vyuiwltf.com
xskeqrcl.net
xxhdy.net
xxztb.org
yeofa.org
yeynxe.net
yjodeikka.org
yprpg.biz
ytcqft.com
The screenshot below shows Win32/Conficker.B attempting to access various URLs:
Deletes System Restore Points
Win32/Conficker.B resets all system restore points and deletes all saved system restore points on the compromised system.
Backdoor Functionality
Win32/Conficker.B starts an HTTP server on the affected system by opening a random port, shown below. This allows a copy of the worm to be downloaded by systems vulnerable to MS08-067.
The downloaded files usually have the following file extensions:
.BMP
.GIF
.PNG
.JPG
CA Anti-Virus solutions detect all files created by the worm:
The worm also searches for an Internet Gateway device in the network and configures it to allow the malware-opened port to be accessed outside the network.
Back to top
For additional information:
Win32/Conficker.B checks for Internet connectivity by accessing the URLs below:
www.aol.com
www.cnn.com
www.ebay.com
www.msn.com
www.myspace.com
The worm also tries to obtain the IP address of the affected system by accessing the following legitimate websites:
checkip.dyndns.org
www.getmyip.org
www.whatismyip.org
www.whatsmyipaddress.com
Analysis by Zarestel Ferrer
Back to top