Archive

Posts Tagged ‘Worm’

Conficker Worm: Removal

April 3, 2009 Leave a comment

On 15 October 2008, Microsoft released an emergency out-of-band patch for vulnerability MS08-067, which the worm exploits to spread. The patch applies only to Windows XP SP 2, Windows XP SP 3, Windows 2000 SP4, Windows Vista; Windows XP SP 1 and and earlier are no longer supported.

Microsoft has since released a removal guide for the worm, and recommends using the current release of its Malicious Software Removal Tool to remove the worm, then applying the patch to prevent re-infection.

For Manual Removal of the worm, please follow this link:

I found this link quite useful…

Hope this updates on Win32 Conficker Worm will help you..I will try to add more posts as soon as I get some other useful information.

Thank You

Conficker Worm: Characteristics(contd.)

April 2, 2009 Leave a comment

When executed, the worm copies itself using a random name to the %Sysdir% folder.
(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)
It modifies the following registry key to create a randomly-named service on the affected syetem:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\”ServiceDll” = “Path to worm”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\”ImagePath” = %SystemRoot%\system32\svchost.exe -k netsvcs

Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer.

Starts a HTTP server on a random port on the infected machine to host a copy of the worm.
Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.
Later variants of w32/Conficker.worm are using scheduled tasks and Autorun.inf file to replicate on to non vulnerable systems or to reinfect previously infected systems after they have been cleaned.

Conficker Worm: Characteristics

April 2, 2009 Leave a comment

It copies itself to the following patches:

  • %Sysdir%\[Random].dll
  • %Program Files%\Internet Explorer\[Random].dll
  • %Program Files%\Movie Maker\[Random].dll
  • %Program Files%\Windows Media Player\[Random].dll
  • %Program Files%\Windows NT\[Random].dll

It disables the following services:

  • WerSvc , ERSvc , BITS , wuauserv , WinDefend , wscsvc

It hooks the following functions in dnsapi.dll :

  • Query_Main , DnsQuery_W , DnsQuery_UTF8 , DnsQuery_A

It hooks the following functions in ws2_32.dll:

  • sendto

The worm deletes the following registry key to disable restarting in safe mode:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

It deletes the following registry keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender

It terminates the processes that contains the following strings in name:

  • wireshark / unlocker / tcpview / sysclean / scct_ / regmon / procmon / procexp / ms08-06 / mrtstub / mrt. / mbsa. / klwk / kido / kb958 / kb890 / hotfix / gmer /¬† filemon / downad / confick / avenger / autoruns

In order to block users access to security-related domains, prevents network access to any domains that contain the following strings:

  • windowsupdate / wilderssecurity / virus / virscan / trojan / trendmicro / threatexpert / threat / technet / symantec / sunbelt / spyware / spamhaus / sophos / secureworks / securecomputing / safety.live / rootkit / rising / removal / quickheal / ptsecurity / prevx / pctools / panda / onecare / norton / norman / nod32 / networkassociates / mtc.sri / msmvps / msftncsi / mirage / microsoft / mcafee / malware / kaspersky / k7computing / jotti / ikarus / hauri / hacksoft / hackerwatch / grisoft / gdata / freeav / free-av / fortinet / f-secure / f-prot / ewido / etrust / eset / esafe / emsisoft / dslreports / drweb / defender / cyber-ta / cpsecure / conficker / computerassociates / comodo / clamav / centralcommand / ccollomb / castlecops / bothunter / avira / avgate / avast / arcabit / antivir / anti- / ahnlab / agnitum

Conficker Worm: A new threat to computer

April 2, 2009 3 comments

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in October 2008.
An early variant of the worm propagated through the Internet by exploiting a vulnerability in the network stack of Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, Windows 7 Beta, and Windows Server 2008 R2 Beta that was discovered earlier that month.The worm has been unusually difficult for network operators and law enforcement to counter because of its combined use of advanced malware techniques.

Method of Infection:

This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate.conficker_500x3751
Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.
Upon detection of this worm the system should be rebooted to clean memory correctly. May require more than one reboot.
Scheduled tasks have been seen to be created on the system to re-activate the worm.

Autorun.inf files have been seen to be used to re-activate the worm.

Symptoms:

If your computer is infected with this worm, you may not experience any symptoms, or you may experience any of the following symptoms:

  • Account lockout policies are being tripped.
  • Automatic Updates, Background Intelligent Transfer Service¬† (BITS), Windows Defender, and Error Reporting Services are disabled.
  • Domain controllers respond slowly to client requests.
  • The network is congested.
  • Various security-related Web sites cannot be accessed.

For more information about Win32/Conficker.b, visit the following Web pages: