cod-E-mphasis

Conficker Worm: Characteristics

Posted in Technological Updates, Win32 Conficker, Worms by Arnab Guha on April 2, 2009

It copies itself to the following patches:

  • %Sysdir%\[Random].dll
  • %Program Files%\Internet Explorer\[Random].dll
  • %Program Files%\Movie Maker\[Random].dll
  • %Program Files%\Windows Media Player\[Random].dll
  • %Program Files%\Windows NT\[Random].dll

It disables the following services:

  • WerSvc , ERSvc , BITS , wuauserv , WinDefend , wscsvc

It hooks the following functions in dnsapi.dll :

  • Query_Main , DnsQuery_W , DnsQuery_UTF8 , DnsQuery_A

It hooks the following functions in ws2_32.dll:

  • sendto

The worm deletes the following registry key to disable restarting in safe mode:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

It deletes the following registry keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender

It terminates the processes that contains the following strings in name:

  • wireshark / unlocker / tcpview / sysclean / scct_ / regmon / procmon / procexp / ms08-06 / mrtstub / mrt. / mbsa. / klwk / kido / kb958 / kb890 / hotfix / gmer /  filemon / downad / confick / avenger / autoruns

In order to block users access to security-related domains, prevents network access to any domains that contain the following strings:

  • windowsupdate / wilderssecurity / virus / virscan / trojan / trendmicro / threatexpert / threat / technet / symantec / sunbelt / spyware / spamhaus / sophos / secureworks / securecomputing / safety.live / rootkit / rising / removal / quickheal / ptsecurity / prevx / pctools / panda / onecare / norton / norman / nod32 / networkassociates / mtc.sri / msmvps / msftncsi / mirage / microsoft / mcafee / malware / kaspersky / k7computing / jotti / ikarus / hauri / hacksoft / hackerwatch / grisoft / gdata / freeav / free-av / fortinet / f-secure / f-prot / ewido / etrust / eset / esafe / emsisoft / dslreports / drweb / defender / cyber-ta / cpsecure / conficker / computerassociates / comodo / clamav / centralcommand / ccollomb / castlecops / bothunter / avira / avgate / avast / arcabit / antivir / anti- / ahnlab / agnitum
Tagged with: , , , ,

leave a comment

Leave a Reply