W32/Conficker.worm

Wednesday, April 1, 2009 at 9:19 AM | Posted by iceangelfire17

W32/Conficker.worm

Type
Virus
SubType
Worm
Discovery Date
11/24/2008
Length
58,368 bytes
Minimum DAT
5444 (11/24/2008)
Updated DAT
5570 (03/31/2009)
Minimum Engine
5.2.00
Description Added
11/24/2008
Description Modified
03/11/2009 4:58 PM (PT)

Aliases

  • Worm:Win32/Conficker.A (Microsoft)
  • Crypt.AVL (AVG)
  • Mal/Conficker-A (Sophos)
  • Trojan.Win32.Pakes.lxf (F-Secure)
  • Trojan.Win32.Pakes.lxf (Kaspersky)
  • W32.Downadup (Symantec)
  • Worm:Win32/Conficker.B (Microsoft)
  • WORM_DOWNAD.A (Trend Micro)

A new variant of W32/Conficker.worm has been seen spreading. It copies itself to the following pathes:

  • %Sysdir%\[Random].dll
  • %Program Files%\Internet Explorer\[Random].dll
  • %Program Files%\Movie Maker\[Random].dll
  • %Program Files%\Windows Media Player\[Random].dll
  • %Program Files%\Windows NT\[Random].dll

It disables the following services:

  • WerSvc
  • ERSvc
  • BITS
  • wuauserv
  • WinDefend
  • wscsvc

It hooks the following functions in dnsapi.dll :

  • Query_Main
  • DnsQuery_W
  • DnsQuery_UTF8
  • DnsQuery_A

It hooks the following functions in ws2_32.dll:

  • sendto

The worm deletes the following registry key to disable restarting in safe mode:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

It deletes the following registry keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender

It terminates the processes that contains the following strings in name:

  • wireshark
  • unlocker
  • tcpview
  • sysclean
  • scct_
  • regmon
  • procmon
  • procexp
  • ms08-06
  • mrtstub
  • mrt.
  • mbsa.
  • klwk
  • kido
  • kb958
  • kb890
  • hotfix
  • gmer
  • filemon
  • downad
  • confick
  • avenger
  • autoruns

In order to block users access to security-related domains, prevents network access to any domains that contain the following strings:

  • windowsupdate
  • wilderssecurity
  • virus
  • virscan
  • trojan
  • trendmicro
  • threatexpert
  • threat
  • technet
  • symantec
  • sunbelt
  • spyware
  • spamhaus
  • sophos
  • secureworks
  • securecomputing
  • safety.live
  • rootkit
  • rising
  • removal
  • quickheal
  • ptsecurity
  • prevx
  • pctools
  • panda
  • onecare
  • norton
  • norman
  • nod32
  • networkassociates
  • mtc.sri
  • msmvps
  • msftncsi
  • mirage
  • microsoft
  • mcafee
  • malware
  • kaspersky
  • k7computing
  • jotti
  • ikarus
  • hauri
  • hacksoft
  • hackerwatch
  • grisoft
  • gdata
  • freeav
  • free-av
  • fortinet
  • f-secure
  • f-prot
  • ewido
  • etrust
  • eset
  • esafe
  • emsisoft
  • dslreports
  • drweb
  • defender
  • cyber-ta
  • cpsecure
  • conficker
  • computerassociates
  • comodo
  • clamav
  • centralcommand
  • ccollomb
  • castlecops
  • bothunter
  • avira
  • avgate
  • avast
  • arcabit
  • antivir
  • anti-
  • ahnlab
  • agnitum

| |

0 comments

Subscribe to: Post Comments (Atom)

Trash Chronicles | Powered by Blogger | Entries (RSS) | Comments (RSS) | Designed by MB Web Design | XML Coded By Cahayabiru.com