| Aliases: | Net-Worm.Win32.Kido.t (Kaspersky), W32.Downadup (Symantec), W32/Conficker.worm (McAfee) |
| Type of infiltration: | Worm |
| Size: | 62976 B |
| Affected platforms: | Microsoft Windows |
| Signature database version: | 3654 (20081201) |
|
You can download the removal tool
here .
Short description
Win32/Conficker.A is a worm that spreads by exploiting a vulnerability in Server Service . The file is run-time compressed using UPX .
Installation
When executed, the worm copies itself in the %system% folder using the following name:
A string with variable content is used instead of %variable% .
The library %variable%.dll is loaded and injected into the following process:
The worm registers itself as a system service using the following filename:
In order to be executed on every system start, the worm sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%random
service name%\Parameters]
"ServiceDll" = "%system%\%variable%.dll"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%random
service name%]
"Image Path" = "%System Root%\system32\svchost.exe -k netsvcs"
A string with variable content is used instead of %random service name% .
Spreading
The worm starts a HTTP server on a random port.
It connects to remote machines to port TCP 445 in attempt to exploit the Server Service vulnerability.
If successful, the remote computer may attempt to connect to the infected computer and download the copy of the worm .
This vulnerability is described in
Microsoft Security Bulletin MS08-067 .
Other information
If the current system date and time matches the condition the worm will attempt to download several files from the Internet.
The files are then executed. The worm contains a list of (1) URLs.
The following services are disabled:
