Conficker

Analysis

The Conficker worm exploits the Microsoft Windows Server Service Vulnerability.

It disables several Windows NT services, terminates other security and monitoring programs, and avoids access to security related websites.

It performs one or more of the following actions:

Creates randomly named mutexes to make sure that only one instance of itself is running. The mutex name has the following format: Global\%u-%u

where: %u is a value formed from calling the GetComputerNameA(), QueryPerformanceCounter(), and srand() functions. It may drop a copy of itself using a random filename with a .DLL extension in one or more of the following folders:

• %System\%
• %Program Files%\Windows NT
• %Program Files%\Windows Media Player
• %Program Files%\Internet Explorer
• %Program Files%\Movie Maker
• %Documents and Settings%\<UserName>\Application Data
• %Temporary%

Note: The dropped copies have the same time stamp as KERNEL32.DLL. It injects its main code to explorer.exe, services.exe, and all processes using the following command-line parameter: svchost.exe -k NetworkService.

If found, it disables the following Windows NT services: Windows Security Center (wscsvc) Windows Defender (WinDefend) Automatic Updates (wuauserv) Background Intelligent Transfer Service (BITS) Error Reporting Service (ERSvc) Windows Error Reporting Service (WerSvc)

More details can be found in our write-up The Art of Unpacking Conficker Worm