It surfaced in October 2008 and targets the Microsoft Windows operating system. The worm exploits a known vulnerability in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and the Windows 7 Beta. Old PCs carrying the Windows 98 are not affected anyway.
MCAfee detects it as Conficker , AVG detects it as Downadup.
MODUS OPERANDI :
When executed, the worm copies itself using a random name to the %Sysdir% folder.
(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)
It modifies the following registry key to create a randomly-named service on the affected syetem:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\"ServiceDll" = "Path to worm"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs
- hxxp://www.getmyip.org
- hxxp://getmyip.co.uk
- hxxp://checkip.dyndns.org
- hxxp://whatsmyipaddress.com
- hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe
Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.
Later variants of w32/Conficker.worm are using scheduled tasks and Autorun.inf file to replicate on to non vulnerable systems or to reinfect previously infected systems after they have been cleaned.
OPERATION :
The worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled.The Conficker worm spreads itself primarily through a buffer overflow vulnerability in the Server Service on Windows computers. The worm uses a specially crafted RPC request to execute code on the target computer.
When executed on a computer, Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting.
It receives further instructions by connecting to a server. The instructions it receives may include to propagate, gather personal information and to download and install additional malware onto the victim's computer. The worm also attaches itself to certain Windows processes such as svchost.exe, explorer.exe and services.exe.
The Conficker.A variant creates an HTTP server and open a random port between 1024 and 10000. If the remote machine is exploited successfully, the victim will connect back to the HTTP server and download a worm copy. It will also reset System Restore points, and download files to the target computer.
SYMPTOMS :
- Account lockout policies being reset automatically.
- Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Error Reporting Services are automatically disabled.
- Domain controllers respond slowly to client requests.
- System network gets unusually congested. This can be checked with network traffic chart on Windows Task Manager.
- On websites related with antivirus software, Windows system updates cannot be accessed.
- Launches a brute force dictionary attack against administrator passwords to help it spread through ADMIN$ shares, making choice of sensible passwords advisable.
Win32/Conficker is a worm that propagates via removable drives, via network shares, and by exploiting a vulnerability in Windows Server Service, known as MS08-067. The worm disables security services, blocks access to security related websites and opens the affected system to outside attacks. It also attempts to prevent its removal by utilizing the access control list to lock its executable on the compromised system.
REMOVAL METHOD :
Several Win32 conficker removal tools are now available but because the conficker worm also spreads through portable storage devices such as USB drives, disabling your PC’s autorun feature for external media is recommended. Here is how to remove conficker with a conficker remover:
1. Symantec's Downadup remover
2. F-Secure Malware removal tool
3. Microsft Windows Malicious Software Removal Tool
4. Conficker Removal Tool
