Conficker Worm [Removal Tutorial] [October 2009]

Conficker (All Variants)

Information provided by DragonMaster Jay, malware researcher

Introduction

Conficker, is a computer worm and trojan horse (and sometimes considered a virus) that surfaced sometime around November 21st, 2008 with Conficker.A. The worm exploits a known vulnerability (Microsoft Bulletin MS08-067) in the Windows Server Service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 7 Beta.

How does it operate?

The Conficker worm spreads itself primarily through a buffer overflow vulnerability in the Server Service on Windows computers. Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting. The worm uses a specially crafted RPC request to execute code on the target computer. The worm also attaches itself to certain Windows processes such as svchost.exe, explorer.exe and services.exe - then resets System Restore points to make it impossible to go back to a previous state. Then, dials in to its server or peer to request an update and to download more malicious software on to the victims machine. According to the Conficker Working Group, the worm seems to implement some of the ideas presented by Fucs, Paes de Barros e Pereira at the Blackhat Briefings Europe 2007, specifically: digitally signed additional payload, use of PRNG for communication and P2P communication.

Payload

Most variants of Conficker will create an HTTP server and then open a random port between 1024 and 10000. If successful exploit, the server will help download a worm copy to the victim's computer. Then, an attack will be launched via botnets.

What do people call it?

• Technical security descriptors:
  
  
  
  • TA08-297A
    
    
  • CVE-2008-4250
    
    
  • VU827267
    
  
  
• Often uses (Click each link to learn about the detection or prevention):
  
  
  
  • Win32/Conficker.A
    
    
  • Mal/Conficker-A
    
    
  • Trojan.Win32.Agent.bccs (Kaspersky detection Dec\2008)
    
    
  • W32.Downadup.B
    
    
  • Trojan-Downloader.Win32.Agent.aqfw (Kaspersky detection Nov\2008)
    
    
  • W32/Conficker.worm
    
    
  • Win32/Conficker (Microsoft Encyclopedia)
    
    
    
  
  

Informational links

• Original Security Bulletin - Basic Bulletin about the threat and the Security update(s) used to address this worm.
  
• Critical Alert - Also symptom information - You may check your symptoms here
  
• Threat Information - Advanced information
  
• Conficker Eye Chart
  
• Scan now for Conficker - Instant Results
  

REMOVAL

Most computer users, do the following:

Get help in our malware removal forums. This infection is so advanced, it is rather difficult for a normal user to be able to remove this on their own. Please read this over and click here to open a new topic. Note: you must be registered for this site, to post for help. Help to remove this infection and registration for this site is FREE!

Much advanced computer users, do the following:

Removal instructions:

To remove Win32.Worm.Downadup.Gen:
* disable System Restore
* unplug network cable from infected machine
* download MS08-67 vulnerability fix, according to your operating system version from the following url: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
* run BitDefender removal tool: http://www.bitdefender.com/VIRUS-1000462-en--Win32.Worm.Downadup.Gen.html
* restart computer
* plug in your network cable
* Do a full virus scan

Given the fact that the malware blocks the removal tool by name, simply renaming our previous removal tool to anything else except bd_rem_tool would bypass the blocking algorithm.
(Source: http://www.bitdefender.com/VIRUS-1000462-en--Win32.Worm.Downadup.Gen.html)

Other Technical Information:

• Port activity
  
  
  
  • Port 445/TCP scanning (A/B)
    
  • High-port TCP and UDP P2P Activity
    
  
  
• Domains
  
• Most variants are using these hash tags for the core file included in every infection (per my test):
  
  
  
  • MD5: d9cb288f317124a0e63e3405ed290765
    
  • SHA1: 5815b13044fc9248bf7c2dba771f0e6496d9e536
    
  • MD5: a246aee33809bc7e73fa68ba7d66dcab
    
  • SHA1: c41f62f35e080c30b28597f046c92f6403bdb2b5
    
  • MD5: dceedf7e7299acc12c54efbb0dd6ff08
    
  • SHA1: 784388776edeed5c270a849a175760318c7d7971
    
  • MD5: f0f2d2f95f7cd6784765c237373e6623
    
  • SHA1: 40643d71eeaf63932361bb88e9ca3ed510d46c2d
    
  • MD5: 58031b1981fa25d1ff7448253e5a82aa
    
  • SHA1: a3bbd73f65e91718ad09a09e7f5cd48ecea08e23
    
  • MD5: 0da938c05bdda22ccbbd16f4ad2bbf69
    
  • SHA1: 0e01e490fedfe115861631a5c761890c5179706a
    
  • MD5: adcde9d4a4e2135871b11c1dc9e1ad0e
    
  • SHA1: 19db0519a1df601939028c2f0e8d886069d8a332
    
  • MD5: 7699743e66a7260166a5249b84af49ff
    
  • SHA1: f3f938abdbb3aa28f9ad4338a8e3a6a8ee40ab98
    
  • MD5: a84ab64899e079b534c93642f61ba6b7
    
  • SHA1: afdfb3a2e806836a3f50b39a7a3941421a110b94
    
  • MD5: 8594d08a67bd1e9490783e8aa0b63c8d
    
  • SHA1: 98adde47df304156f1a080aa7973e00fb443fa31
    
  • MD5: 4cb5d06de37a5e7b36806cae197907ca
    
  • SHA1: eec3216243b69d6b2ab2e1d6bfa840b9b13352e1
    
  • MD5: 6ec01d8c5bd7092d30a4d245163c1436
    
  • SHA1: f228d88b8fd3fa5e225828a123ca16546f5fbd38
    
  • MD5: 4dd32a7ad031fa6398618271bb6e3bba
    
  • SHA1: 021ffe96adc8092eb157555deee90c955afa6442
    
  • MD5: ef87b673c8e3b77bdf2342e42e1b5f0c
    
  • SHA1: 417935c909a38d65b28c39f5e5455852ab739c2c
    
  • MD5: 677daa8bf951ecce8eae7d7ee0301780
    
  • SHA1: 879e553b472242f3ec5a7f9698bb44cad472ff3b
    
  • MD5: b0a258511e6afcf4587845745c65bf9d
    
  • SHA1: 8e1f19efac3c22a3d23c77f5e51388be13b66273
    
  • MD5: 87136c488903474630369e232704fa4d
    
  • SHA1: c2a8998f34fb6fe505635e0ac352ce2838a3aca6
    
  • MD5: 060dc978741e7ff27686ca8885802623
    
  • SHA1: 4e32ff1cf3243ce56ff278cc0924b601784463d1
    
  • MD5: 2acd071d5adbec652e71254f5e02c337
    
  • SHA1: 0adb220805f2a5e41c5c69f164f66defa891f05e
    
  • MD5: 7d9542ef7c46ed5e80c23153dd5319f2
    
  • SHA1: f49fa573a973500d37df219d6055fd4a50f7931f
    
  • MD5: c3852074ee50da92c2857d24471747d9
    
  • SHA1: 7910076ec1e60326409408fc042c89e96aefefa1
    
  • MD5: 3291e1603715c47a23b60a8bf2ca73db
    
  • SHA1: 41531fa6b5086e9150b57256efbcd47d7c05cd53
    
  • MD5: 73f207fac756536ba54325a14ecef9af
    
  • SHA1: ba231122e4ae036846eb7f47a9d77434b99b8f26
    
  • MD5: 1118b1907c7e460e689b61b6f5d05905
    
  • SHA1: 92bafcf16afe5b42afdd0f29ad369c9f7f239d26
    
  • MD5: 8c9367b7dc43dadaa3ec9da767c586cf
    
  • SHA1: 5fd0af3aac0c54d4858a50f0e62d6b5a2035d97a
    
  • MD5: 4fbcfb9557656c96edb479e30eef2fb3
    
  • SHA1: 907b36f59ca2b0eef3244ed230620c4dcf094d8e
    
  • MD5: ef87b673c8e3b77bdf2342e42e1b5f0c
    
  • SHA1: 417935c909a38d65b28c39f5e5455852ab739c2c
    
  • Note: there are over 500 more hash tags, but the ones above are considered the most detected. Search anyone in a search engine to find out the detection and prevention of Conficker.
    
  
  

Is unplugging the network cable the same as disabling the internet?

Hi adrenaline. Welcome to the forums.

Yes, it would be the same as disabling the Internet. Only for the infected computer.