W32/Conficker.E!worm

Alias/esNet-Worm.Win32.Kido.js(KAV), W32/Conficker.worm.dr(McAfee), Worm:W32/Downadup.GQ(F-Secure), W32/Conficker.E.worm(Panda)
Release DateApr 08, 2009
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.308
CVE2008-4250
Description

Visible Symptoms

  • Deletes itself from the current folder when system restarts on or after May 3, 2009.

    • Detailed Analysis
  • Creates randomly named mutexes to make sure that only one instance of itself is running.The mutex name has the following format:
    • Global\%08x%08x (eg:Global\ea7c48fabe0e0e89)
    It also creates events whose names have the following format:
    • %08x%08x%08x%08x
    Note: %08x is a value formed from the system information, such as the OS, computer name, IP address etc...

  • If the current date is May 3, 2009 or after, it deletes itself when the system restarts. This behavior is unlike previous variants, which may indicate that it is done with its infection period before this date.

  • Queries the following registry:
    • Key: HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets
    • Value: xl or ds
    • Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • Value: TcpNumConnections
  • Sets the following registry:
    • Key: HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets
    • Value: ds
  • Checks the following registry to see if the OS version is prior to Windows XP Service Pack 2:
    • Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • Value: TcpNumConnections
    • Data: 0xFFFFFE
  • Drops a DLL file named 000[Random].tmp  (eg: 0002A.tmp) under the System or Temorary folder and executes it.

  • Drops a SYS file disguised as %System%\drivers\tcpip.sys, named 0[Random].tmp  (eg: 02B.tmp), under the System or Temporary folder and executes it. The symbolic name of this file is \\.\TcpIp_Perf.

  • Attempts ten times to bind a port to address 0.0.0.0, where the port number is selected from the range 1024 to 10000, depending on the system volume serial number.

  • Waits for remote HTTP connections and responses. Its response header looks like the following:
    HTTP/1.0 200 OK,0Dh,0Ah
    Pragma: no-cache,0Dh,0Ah
    Content-Length: %u,0Dh,0Ah
    Content-Type: image/{bmp gif jpeg png},0Dh,0Ah
    0Dh,0Ah
  • Broadcasts the following SNMP message on the network:
    • M-SEARCH * HTTP/1.1
    HOST: 239.255.255.250:1900
    ST: urn:schemas-upnp-org:device:InternetGatewayDevice:1
    MAN: "ssdp:discover"
    MX: 3
    Any device (router, modem, switch, etc...) with UPNP enabled and the “urn:schemas-upnp-org:device:InternetGatewayDevice:1” service, will respond to the SNMP message.

  • It checks the received response's header if it includes the following strings:
    • "://"
    • "http:/"
  • It then sends the following message to close the connection:
    • GET %s HTTP/1.1,0Dh,0Ah
    Host: %s:%d,0Dh,0Ah
    Connection: Close,0Dh,0Ah
    0Dh,0Ah
  • The worm retrieves the following information from the response message:
    • URLBase
    • serviceType
    • controlURL
    • eventSubURL
    • SCPDURL
  • It then tries to find the following service types:
    • urn:schemas-upnp-org:service:WANPPPConnection:1
    • urn:schemas-upnp-org:service:WANIPConnection:1
    • urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1
    • upnp:rootdevice
  • Once the above information is obtained, control of the UPNP device is taken. The following control message is sent to the UPNP device:
    • GetStatusInfo NetUptime,NetConnectionStatus,NetLastConnectionError
    • GetExternalIPAddress NewExternalIPAddress
    • GetGenericPortMappingEntry NewRemoteHost,NewExternalPort,NewProtocol
    • GetSpecificPortMappingEntry NewRemoteHost,NewExternalPort,NewProtocol
    • AddPortMapping NewRemoteHost,NewExternalPort,NewProtocol,NewInternalPort,NewInternalClient,NewEnable,NewPortMappingDescription
    • DeletePortMapping NewRemoteHost,NewExternalPort,NewProtocol
  • Queries the following websites to get the external IP Address of the machine it currently sits in:
    • http://www.whatsmyipaddress.com
    • http://www.ipdragon.com
    • http://www.findmyip.com
    • http://www.ipaddressworld.com
    • http://www.findmyipaddress.com
    • http://www.myipaddress.com
    • http://checkip.dyndns.com
    • http://checkip.dyndns.org
  • It also tries to access the following websites:
    • myspace.com
    • msn.com
    • ebay.com
    • cnn.com
    • aol.com
  • Constructs some shell code, which has the following format: http://%d.%d.%d.%d:%d/{4-8 random characters} ... .

  • Checks the following OS information:
    • vista
    • service pack 1
    • service pack
    • windows server 2003
    • service pack 2
    • windows 5.1
    • windows 5.0
    • windows 4.0
    • unix
  • It selects the proper system to be connected through RPC:
    • Connection: \\{Hostname}\\IPC$
    • Binding: use ncacn_np protocol and pipe name \\pipe\\browser
    • Remote call parameters: HHDHH aaa\\bbb\\ccc\\..\\ddd {1000 bytes} 31F \\ 101
    This effectively maps the external port 80 on the UPNP device to the "random" port of the HTTP server that sends a copy of the worm to the infected machine.
    Description Last Updated Date: Apr 13, 2009
    Reference: ID - 817999