| Alias/es | W32.Downadup.C, Net-Worm.Win32.Kido, W32/Conficker.worm, Win32/Conficker.C |
| Release Date | Mar 10, 2009 |
| Detection Availability | Current Antivirus Definition Database Version: 12.202 | | CVE | 2008-4250 |
| Description | Visible SymptomsInability to connect with certain security related websites.
Possible termination of security and monitoring applications.
Detailed AnalysisW32/Conficker.C!worm is the third variant of the Conficker worm exploiting the Microsoft Windows Server Service Vulnerability.
It disables several Windows NT services, terminates other security and monitoring programs, and avoids access to security related websites.
On April 1, 2009, it will generate thousands of malicious domains to download more malware threats.
This particular threat is downloaded by the other Conficker variants to a compromised machine. It performs one or more of the following actions:
Creates randomly named mutexes to make sure that only one instance of itself is running. The mutex name has the following format:
Global\\%u-%u
where: %u is a value formed from calling the GetComputerNameA(), QueryPerformanceCounter(), and srand() functions.
It may drop a copy of itself using a random filename with a .DLL extension in one or more of the following folders:
- %System%
- %Program Files%\Windows NT
- %Program Files%\Windows Media Player
- %Program Files%\Internet Explorer
- %Program Files%\Movie Maker
- %Documents and Settings%\<UserName>\Application Data
- %Temporary%
Note: The dropped copies have the same time stamp as KERNEL32.DLL.
It injects its main code to explorer.exe, services.exe, and all processes using the following command-line parameter: svchost.exe -k NetworkService.
If found, it disables the following Windows NT services:
- Windows Security Center (wscsvc)
- Windows Defender (WinDefend)
- Automatic Updates (wuauserv)
- Background Intelligent Transfer Service (BITS)
- Error Reporting Service (ERSvc)
- Windows Error Reporting Service (WerSvc)
Registry Modifications
It then deletes the following registry value to disable the automatic startup of Windows Defender:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender
The malware also disables the Windows Security Center notification by deleting the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
The malware also deletes the registry key below to prevent from the system from booting in Safe Mode:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot
The malware also adds itself to the Svchost group by appending its path to the following registry key value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
netsvcs
To enable its automatic execution on every machine startup, it adds the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
[Random String] = "rundll32.exe [Malware Path], [Random String]"
It then creates an NT system service that points to its binary path by creating the following registry entries:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\[Random Name]
Description = "[Random Description]"
DisplayName = [Random DisplayName]
ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs"
Parameters\ServiceDll = "[Malware Path]"
where:
[Random Name] is formed by concatenating two randomly selected strings from the two lists below:
String List 1:
- App
- Audio
- DM
- ER
- Event
- help
- Ias
- Ir
- Lanman
- Net
- Ntms
- Ras
- Remote
- Sec
- SR
- Tapi
- Trk
- W32
- win
- Wmdm
- Wmi
- wsc
- wuau
- xml
String List2:
- access
- agent
- auto
- logon
- man
- mgmt
- mon
- prov
- serv
- Server
- Service
- Srv
- srv
- svc
- Svc
- System
- Time
[Random DisplayName] is formed by randomly selecting two strings from the following string list:
- Audit
- Backup
- Boot
- Browser
- Center
- Component
- Config
- Control
- Discovery
- Driver
- Framework
- Hardware
- Helper
- Image
- Installer
- Logon
- Machine
- Management
- Manager
- Microsoft
- Monitor
- Network
- Notify
- Policy
- Power
- Security
- Shell
- Storage
- Support
- System
- Task
- Time
- Trusted
- Universal
- Update
- Windows
[Malware Path] - path of the dropped copy of the malware
Termination of Processes
It creates another thread to terminate processes that are mostly related to security and monitoring tools such as the following:
- autoruns
- avenger
- confick
- downad
- filemon
- gmer
- hotfix
- kb890
- kb958
- kido
- klwk
- mbsa.
- mrt.
- mrtstub
- ms08-06
- procexp
- procmon
- regmon
- scct_
- sysclean
- tcpview
- unlocker
- wireshark
Prevention of Access to Websites
It hooks the following APIs to monitor internet access:
- From dnsapi.dll :
- DNS_Query_A
- DNS_Query_UTF8
- DNS_Query_W
- Query_Main
- From ws2_32.dll :
- From netapi32.dll :
- From wininet.dll :
- InternetGetConnectedState
It also hooks the NtQueryInformationProcess API from ntdll.dll.
It prevents access to security-related websites, including websites that may contain information about Conficker. This is done by monitoring DNS requests when the infected machine attempts to access remote websites with the following substrings:
- agnitum
- ahnlab
- anti-
- antivir
- arcabit
- avast
- avg.
- avgate
- avira
- avp.
- bit9.
- bothunter
- ca.
- castlecops
- ccollomb
- centralcommand
- cert.
- clamav
- comodo
- computerassociates
- conficker
- cpsecure
- cyber-ta
- db networkassociates
- defender
- drweb
- dslreports
- emsisoft
- esafe
- eset
- etrust
- ewido
- f-prot
- f-secure
- fortinet
- free-av
- freeav
- gdata
- gmer.
- grisoft
- hackerwatch
- hacksoft
- hauri
- ikarus
- jotti
- k7computing
- kaspersky
- kav.
- llnw.
- llnwd.
- malware
- mcafee
- microsoft
- mirage
- msdn.
- msft.
- msftncsi
- msmvps
- mtc.sri
- nai.
- nod32
- norman
- norton
- onecare
- panda
- pctools
- prevx
- ptsecurity
- quickheal
- removal
- rising
- rootkit
- safety.live
- sans.
- securecomputing
- secureworks
- sophos
- spamhaus
- spyware
- sunbelt
- symantec
- technet
- threat
- threatexpert
- trendmicro
- trojan
- vet.
- virscan
- virus
- wilderssecurity
- windowsupdate
It may also check connection to the following websites:
- 2ch.net
- 4shared.com
- 56.com
- adsrevenue.net
- adultadworld.com
- adultfriendfinder.com
- aim.com
- alice.it
- allegro.pl
- ameba.jp
- ameblo.jp
- answers.com
- apple.com
- ask.com
- aweber.com
- awempire.com
- badongo.com
- badoo.com
- bbc.co.uk
- bebo.com
- biglobe.ne.jp
- bigpoint.com
- blogfa.com
- clicksor.com
- comcast.net
- conduit.com
- craigslist.org
- cricinfo.com
- dell.com
- depositfiles.com
- digg.com
- disney.go.com
- doubleclick.com
- download.com
- ebay.co.uk
- ebay.com
- ebay.de
- ebay.it
- espn.go.com
- facebook.com
- fastclick.com
- fc2.com
- files.wordpress.com
- flickr.com
- fotolog.net
- foxnews.com
- friendster.com
- geocities.com
- go.com
- goo.ne.jp
- google.com
- googlesyndication.com
- gougou.com
- hi5.com
- hyves.nl
- icq.com
- imageshack.us
- imagevenue.com
- imdb.com
- imeem.com
- ioctlsocket
- kaixin001.com
- kooora.com
- linkbucks.com
- linkedin.com
- live.com
- livedoor.com
- livejasmin.com
- livejournal.com
- mail.ru
- mapquest.com
- mediafire.com
- megaclick.com
- megaporn.com
- megaupload.com
- metacafe.com
- metroflog.com
- miniclip.com
- mininova.org
- mixi.jp
- msn.com
- multiply.com
- myspace.com
- mywebsearch.com
- narod.ru
- naver.com
- nba.com
- netflix.com
- netlog.com
- nicovideo.jp
- ning.com
- odnoklassniki.ru
- orange.fr
- partypoker.com
- paypopup.com
- pconline.com.cn
- pcpop.com
- perfspot.com
- photobucket.com
- pogo.com
- pornhub.com
- rambler.ru
- rapidshare.com
- recvfrom
- rediff.com
- reference.com
- sakura.ne.jp
- seesaa.net
- seznam.cz
- skyrock.com
- sonico.com
- soso.com
- sourceforge.net
- studiverzeichnis.com
- tagged.com
- taringa.net
- terra.com.br
- thepiratebay.org
- tianya.cn
- tinypic.com
- torrentz.com
- tribalfusion.com
- tube8.com
- tudou.com
- tuenti.com
- typepad.com
- ucoz.ru
- veoh.com
- verizon.net
- vkontakte.ru
- vnexpress.net
- wikimedia.org
- wikimedia.org
- wordpress.com
- xhamster.com
- xiaonei.com
- xnxx.com
- xvideos.com
- yahoo.co.jp
- yahoo.com
- yandex.ru
- youporn.com
- youtube.com
- zedo.com
- ziddu.com
- zshare.net
Generation of Domain Names
It visits the following websites to check the current date & time which will be used in its payload (domain generation):
- rapidshare.com
- imageshack.us
- facebook.com
- w3.org
- ask.com
- yahoo.com
- google.com
- baidu.com
It checks for the current system date using the GetLocalTime() API. If the system date is April 1, 2009 and beyond, it will generate up to 50,000 domain names that can be contacted to download additional components or malware. To generate the random domain names, the malware uses CryptGenRandom from Microsoft's Cryptography API (CAPI), QueryPerformanceCounter, and the current system date & time.
It may use one of the following strings as the last part of the generated domain names:
- vn
- vc
- us
- tw
- to
- tn
- tl
- tj
- tc
- su
- sk
- sh
- sg
- sc
- ru
- ro
- ps
- pl
- pk
- pe
- no
- nl
- nf
- my
- mw
- mu
- ms
- mn
- me
- md
- ly
- lv
- lu
- li
- lc
- la
- kz
- kn
- is
- ir
- in
- im
- ie
- hu
- ht
- hn
- hk
- gy
- gs
- gr
- gd
- fr
- fm
- es
- ec
- dm
- dk
- dj
- cz
- cx
- com.ve
- com.uy
- com.ua
- com.tw
- com.tt
- com.tr
- com.sv
- com.py
- com.pt
- com.pr
- com.pe
- com.pa
- com.ni
- com.ng
- com.mx
- com.mt
- com.lc
- com.ki
- com.jm
- com.hn
- com.gt
- com.gl
- com.gh
- com.fj
- com.do
- com.co
- com.bs
- com.br
- com.bo
- com.ar
- com.ai
- com.ag
- co.za
- co.vi
- co.uk
- co.ug
- co.nz
- co.kr
- co.ke
- co.il
- co.id
- co.cr
- cn
- cl
- ch
- cd
- ca
- bz
- bo
- be
- at
- as
- am
- ag
- ae
- ac
|
Description Last Updated Date: Mar 19, 2009
Reference: ID - 785963
|