W32/Conficker.C!worm
Analysis
W32/Conficker.C!worm is the third variant of the Conficker worm exploiting the Microsoft Windows Server Service Vulnerability.
It disables several Windows NT services, terminates other security and monitoring programs, and avoids access to security related websites.
On April 1, 2009, it will generate thousands of malicious domains to download more malware threats.
This particular threat is downloaded by the other Conficker variants to a compromised machine. It performs one or more of the following actions:
Global\\undefinedu-undefinedu
where: undefinedu is a value formed from calling the GetComputerNameA(), QueryPerformanceCounter(), and srand() functions.
- undefinedSystemundefined
- undefinedProgram Filesundefined\Windows NT
- undefinedProgram Filesundefined\Windows Media Player
- undefinedProgram Filesundefined\Internet Explorer
- undefinedProgram Filesundefined\Movie Maker
- undefinedDocuments and Settingsundefined\<UserName>\Application Data
- undefinedTemporaryundefined
Note: The dropped copies have the same time stamp as KERNEL32.DLL.
- Windows Security Center (wscsvc)
- Windows Defender (WinDefend)
- Automatic Updates (wuauserv)
- Background Intelligent Transfer Service (BITS)
- Error Reporting Service (ERSvc)
- Windows Error Reporting Service (WerSvc)
Registry Modifications
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
netsvcs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
[Random String] = "rundll32.exe [Malware Path], [Random String]"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\[Random Name]
Description = "[Random Description]"
DisplayName = [Random DisplayName]
ImagePath = "undefinedSystemRootundefined\system32\svchost.exe -k netsvcs"
Parameters\ServiceDll = "[Malware Path]"
where:
[Random Name] is formed by concatenating two randomly selected strings from the two lists below:String List 1:[Random DisplayName] is formed by randomly selecting two strings from the following string list:String List2:
- App
- Audio
- DM
- ER
- Event
- help
- Ias
- Ir
- Lanman
- Net
- Ntms
- Ras
- Remote
- Sec
- SR
- Tapi
- Trk
- W32
- win
- Wmdm
- Wmi
- wsc
- wuau
- xml
- access
- agent
- auto
- logon
- man
- mgmt
- mon
- prov
- serv
- Server
- Service
- Srv
- srv
- svc
- Svc
- System
- Time
[Malware Path] - path of the dropped copy of the malware
- Audit
- Backup
- Boot
- Browser
- Center
- Component
- Config
- Control
- Discovery
- Driver
- Framework
- Hardware
- Helper
- Image
- Installer
- Logon
- Machine
- Management
- Manager
- Microsoft
- Monitor
- Network
- Notify
- Policy
- Power
- Security
- Shell
- Storage
- Support
- System
- Task
- Time
- Trusted
- Universal
- Update
- Windows
Termination of Processes
- autoruns
- avenger
- confick
- downad
- filemon
- gmer
- hotfix
- kb890
- kb958
- kido
- klwk
- mbsa.
- mrt.
- mrtstub
- ms08-06
- procexp
- procmon
- regmon
- scct_
- sysclean
- tcpview
- unlocker
- wireshark
Prevention of Access to Websites
- From dnsapi.dll :
- DNS_Query_A
- DNS_Query_UTF8
- DNS_Query_W
- Query_Main
- From ws2_32.dll :
- sendto
- From netapi32.dll :
- NetpwPathCanonicalize
- From wininet.dll :
- InternetGetConnectedState
- agnitum
- ahnlab
- anti-
- antivir
- arcabit
- avast
- avg.
- avgate
- avira
- avp.
- bit9.
- bothunter
- ca.
- castlecops
- ccollomb
- centralcommand
- cert.
- clamav
- comodo
- computerassociates
- conficker
- cpsecure
- cyber-ta
- db networkassociates
- defender
- drweb
- dslreports
- emsisoft
- esafe
- eset
- etrust
- ewido
- f-prot
- f-secure
- fortinet
- free-av
- freeav
- gdata
- gmer.
- grisoft
- hackerwatch
- hacksoft
- hauri
- ikarus
- jotti
- k7computing
- kaspersky
- kav.
- llnw.
- llnwd.
- malware
- mcafee
- microsoft
- mirage
- msdn.
- msft.
- msftncsi
- msmvps
- mtc.sri
- nai.
- nod32
- norman
- norton
- onecare
- panda
- pctools
- prevx
- ptsecurity
- quickheal
- removal
- rising
- rootkit
- safety.live
- sans.
- securecomputing
- secureworks
- sophos
- spamhaus
- spyware
- sunbelt
- symantec
- technet
- threat
- threatexpert
- trendmicro
- trojan
- vet.
- virscan
- virus
- wilderssecurity
- windowsupdate
- 2ch.net
- 4shared.com
- 56.com
- adsrevenue.net
- adultadworld.com
- adultfriendfinder.com
- aim.com
- alice.it
- allegro.pl
- ameba.jp
- ameblo.jp
- answers.com
- apple.com
- ask.com
- aweber.com
- awempire.com
- badongo.com
- badoo.com
- bbc.co.uk
- bebo.com
- biglobe.ne.jp
- bigpoint.com
- blogfa.com
- clicksor.com
- comcast.net
- conduit.com
- craigslist.org
- cricinfo.com
- dell.com
- depositfiles.com
- digg.com
- disney.go.com
- doubleclick.com
- download.com
- ebay.co.uk
- ebay.com
- ebay.de
- ebay.it
- espn.go.com
- facebook.com
- fastclick.com
- fc2.com
- files.wordpress.com
- flickr.com
- fotolog.net
- foxnews.com
- friendster.com
- geocities.com
- go.com
- goo.ne.jp
- google.com
- googlesyndication.com
- gougou.com
- hi5.com
- hyves.nl
- icq.com
- imageshack.us
- imagevenue.com
- imdb.com
- imeem.com
- ioctlsocket
- kaixin001.com
- kooora.com
- linkbucks.com
- linkedin.com
- live.com
- livedoor.com
- livejasmin.com
- livejournal.com
- mail.ru
- mapquest.com
- mediafire.com
- megaclick.com
- megaporn.com
- megaupload.com
- metacafe.com
- metroflog.com
- miniclip.com
- mininova.org
- mixi.jp
- msn.com
- multiply.com
- myspace.com
- mywebsearch.com
- narod.ru
- naver.com
- nba.com
- netflix.com
- netlog.com
- nicovideo.jp
- ning.com
- odnoklassniki.ru
- orange.fr
- partypoker.com
- paypopup.com
- pconline.com.cn
- pcpop.com
- perfspot.com
- photobucket.com
- pogo.com
- pornhub.com
- rambler.ru
- rapidshare.com
- recvfrom
- rediff.com
- reference.com
- sakura.ne.jp
- seesaa.net
- seznam.cz
- skyrock.com
- sonico.com
- soso.com
- sourceforge.net
- studiverzeichnis.com
- tagged.com
- taringa.net
- terra.com.br
- thepiratebay.org
- tianya.cn
- tinypic.com
- torrentz.com
- tribalfusion.com
- tube8.com
- tudou.com
- tuenti.com
- typepad.com
- ucoz.ru
- veoh.com
- verizon.net
- vkontakte.ru
- vnexpress.net
- wikimedia.org
- wikimedia.org
- wordpress.com
- xhamster.com
- xiaonei.com
- xnxx.com
- xvideos.com
- yahoo.co.jp
- yahoo.com
- yandex.ru
- youporn.com
- youtube.com
- zedo.com
- ziddu.com
- zshare.net
Generation of Domain Names
- rapidshare.com
- imageshack.us
- facebook.com
- w3.org
- ask.com
- yahoo.com
- google.com
- baidu.com
- vn
- vc
- us
- tw
- to
- tn
- tl
- tj
- tc
- su
- sk
- sh
- sg
- sc
- ru
- ro
- ps
- pl
- pk
- pe
- no
- nl
- nf
- my
- mw
- mu
- ms
- mn
- me
- md
- ly
- lv
- lu
- li
- lc
- la
- kz
- kn
- is
- ir
- in
- im
- ie
- hu
- ht
- hn
- hk
- gy
- gs
- gr
- gd
- fr
- fm
- es
- ec
- dm
- dk
- dj
- cz
- cx
- com.ve
- com.uy
- com.ua
- com.tw
- com.tt
- com.tr
- com.sv
- com.py
- com.pt
- com.pr
- com.pe
- com.pa
- com.ni
- com.ng
- com.mx
- com.mt
- com.lc
- com.ki
- com.jm
- com.hn
- com.gt
- com.gl
- com.gh
- com.fj
- com.do
- com.co
- com.bs
- com.br
- com.bo
- com.ar
- com.ai
- com.ag
- co.za
- co.vi
- co.uk
- co.ug
- co.nz
- co.kr
- co.ke
- co.il
- co.id
- co.cr
- cn
- cl
- ch
- cd
- ca
- bz
- bo
- be
- at
- as
- am
- ag
- ae
- ac
Recommended Action
- Patch
- Download and install the patch for the Microsoft Windows Server Service Vulnerability at http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx.
FortiGate Systems - Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |