| Aliases: | Trojan-Dropper.Win32.Kido.o (Kaspersky), W32/Conficker.worm.dr (McAfee), WORM_DOWNAD.E (TrendMicro) |
| Type of infiltration: | Worm |
| Size: | 119296 B |
| Affected platforms: | Microsoft Windows |
| Signature database version: | 3997 (20090409) |
|
You can download the removal tool
here .
Short description
Win32/Conficker.AQ is a worm that spreads via network exploiting vulnerabilities of the operating system. It connects to remote machines in attempt to exploit the Server Service vulnerability. The file is run-time compressed using UPX .
Installation
When executed the worm drops in folder %system% the following file:
A string with variable content is used instead of %variable% .
Installs the following system drivers:
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Applets]
"ds" = %value%
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Applets]
"ds" = %value%
If the current system date and time matches certain conditions, worm deactivates some of its features.
Spreading
The worm starts a HTTP server on a random port. It connects to remote machines to port TCP 139, 445 in attempt to exploit the Server Service vulnerability.
This vulnerability is described in
Microsoft Security Bulletin MS08-067 .
If successful, the remote computer attempts to connect to the infected computer and download a malware component.
It is a DLL library with the following extension:
When executed on the remote computer, the worm copies itself to any of the following locations:
- %system%\%variable%.dll
- %program files%\Internet Explorer\%variable%.dll
- %program files%\Movie Maker\%variable%.dll
- %program files%\Windows NT\%variable%.dll
- %appdata%\%variable%.dll
- %temp%\%variable%.dll
A string with variable content is used instead of %variable% .
The worm loads and injects the library into the following processes:
- explorer.exe
- services.exe
- svchost.exe
The worm registers itself as a system service with the name combined from the following strings:
- App
Audio
DM
ER
Event
help
Ias
Ir
Lanman
Net
Ntms
Ras
Remote
Sec
SR
Tapi
Trk
W32
win
Wmdm
Wmi
wsc
wuau
xml
- access
agent
auto
logon
man
mgmt
mon
prov
serv
Server
Service
Srv
srv
Svc
svc
System
Time
The service Display Name consists of some of the following strings:
- Boot
- Center
- Config
- Driver
- Helper
- Boot
- Center
- Config
- Driver
- Helper
- Image
- Installer
- Manager
- Microsoft
- Monitor
- Network
- Security
- Server
- Shell
- Support
- System
- Task
- Time
- Universal
- Update
- Windows
- Hardware
- Control
- Audit
- Event
- Notify
- Backup
- Trusted
- Component
- Framework
- Management
- Browser
- Machine
- Logon
- Power
- Storage
- Discovery
- Policy
In order to be executed on every system start, the worm sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"%random1%" = "rundll32.exe "%variable%.dll",%random2%"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run]
"%random1%" = "rundll32.exe "%variable%.dll",%random2%"
%random1-2% stands for a random text.
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%random
service name%\Parameters]
"ServiceDll" = "%system%\%variable%.dll"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%random
service name%]
"Image Path" = "%System Root%\system32\svchost.exe -k netsvcs"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%random
service name%\Parameters]
"ServiceDll" = "%system%\%variable%.dll"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%random
service name%]
"Image Path" = "%System Root%\system32\svchost.exe -k netsvcs"
"DisplayName" = "%random service name%"
"Type" = 32
"Start" = 2
"ErrorControl" = 0
"ObjectName" = "LocalSystem"
"Description" = "%variable_name%"
The following Registry entries are deleted:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
SafeBoot]
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\explorer\ShellServiceObjects\
{FD6905CE-952F-41F1-9A6F-135D9C6622CC}]
"wscsvc" = "%filepath%"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"Windows Defender" = "%filepath%"
Other information
The worm terminates processes with any of the following strings in the name:
- autoruns
- avenger
- bd_rem
- cfremo
- confick
- autoruns
- avenger
- bd_rem
- cfremo
- confick
- downad
- dwndp
- filemon
- gmer
- hotfix
- kb890
- kb958
- kido
- kill
- klwk
- mbsa.
- mrt.
- mrtstub
- ms08
- ms09
- procexp
- procmon
- regmon
- scct_
- stinger
- sysclean
- tcpview
- unlocker
- wireshark
The following services are disabled:
- Windows Security Center Service (wscsvc)
- Windows Automatic Update Service (wuauserv)
- Background Intelligent Transfer Service (BITS)
- Windows Defender Service (WinDefend)
- Windows Error Reporting Service (ERSvc)
- Windows Error Reporting Service (WerSvc)
The worm connects to the following addresses:
- aol.com
cnn.com
ebay.com
msn.com
myspace.com
- aol.com
cnn.com
ebay.com
msn.com
myspace.com
- 2ch.net
4shared.com
56.com
adobe.com
adsrevenue.net
adultadworld.com
adultfriendfinder.com
aim.com
alice.it
allegro.pl
ameba.jp
ameblo.jp
answers.com
apple.com
ask.com
aweber.com
awempire.com
badongo.com
badoo.com
baidu.com
bbc.co.uk
bebo.com
biglobe.ne.jp
bigpoint.com
blogfa.com
clicksor.com
co.cc
comcast.net
conduit.com
craigslist.org
cricinfo.com
dell.com
depositfiles.com
digg.com
disney.go.com
doubleclick.com
download.com
ebay.co.uk
ebay.com
ebay.de
ebay.it
espn.go.com
facebook.com
fastclick.com
fc2.com
files.wordpress.com
flickr.com
fotolog.net
foxnews.com
friendster.com
geocities.com
go.com
goo.ne.jp
google.com
googlesyndication.com
gougou.com
hi5.com
hyves.nl
icq.com
imageshack.us
imagevenue.com
imdb.com
imeem.com
kaixin001.com
kooora.com
linkbucks.com
linkedin.com
live.com
livedoor.com
livejasmin.com
livejournal.com
mail.ru
mapquest.com
mediafire.com
megaclick.com
megaporn.com
megaupload.com
metacafe.com
metroflog.com
miniclip.com
mininova.org
mixi.jp
msn.com
multiply.com
myspace.com
mywebsearch.com
narod.ru
naver.com
nba.com
netflix.com
netlog.com
nicovideo.jp
ning.com
odnoklassniki.ru
orange.fr
partypoker.com
paypopup.com
pconline.com.cn
pcpop.com
perfspot.com
photobucket.com
pogo.com
pornhub.com
rambler.ru
rapidshare.com
rediff.com
reference.com
sakura.ne.jp
seesaa.net
seznam.cz
skyrock.com
sonico.com
soso.com
sourceforge.net
studiverzeichnis.com
tagged.com
taringa.net
terra.com.br
thepiratebay.org
tianya.cn
tinypic.com
torrentz.com
tribalfusion.com
tube8.com
tudou.com
tuenti.com
typepad.com
ucoz.ru
veoh.com
verizon.net
vkontakte.ru
vnexpress.net
wikimedia.org
wikipedia.org
wordpress.com
xhamster.com
xiaonei.com
xnxx.com
xvideos.com
yahoo.co.jp
yahoo.com
yandex.ru
youporn.com
youtube.com
zedo.com
ziddu.com
zshare.net
- http://checkip.dyndns.org
http://checkip.dyndns.com
http://www.myipaddress.com
http://www.findmyipaddress.com
http://www.ipaddressworld.com
http://www.findmyip.com
http://www.ipdragon.com
http://www.whatsmyipaddress.com
The worm blocks access to any domains that contain any of the following strings in their name:
- activescan
- adware
- agnitum
- ahnlab
- anti-
The worm contains a list of blacklisted IP addresses.
The worm opens a random TCP, UDP port.
The worm receives data and instructions for further action from the Internet or another remote computer within its own network (botnet).
It uses its own P2P network for communication.
