Conficker (All Variants)
Information provided by DragonMaster Jay, malware researcher
Introduction
Conficker, is a computer worm and trojan horse (and sometimes considered a virus) that surfaced sometime around November 21st, 2008 with Conficker.A. The worm exploits a known vulnerability (Microsoft Bulletin MS08-067) in the Windows Server Service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 7 Beta.
How does it operate?
The Conficker worm spreads itself primarily through a buffer overflow vulnerability in the Server Service on Windows computers. Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting. The worm uses a specially crafted RPC request to execute code on the target computer. The worm also attaches itself to certain Windows processes such as svchost.exe, explorer.exe and services.exe - then resets System Restore points to make it impossible to go back to a previous state. Then, dials in to its server or peer to request an update and to download more malicious software on to the victims machine. According to the Conficker Working Group, the worm seems to implement some of the ideas presented by Fucs, Paes de Barros e Pereira at the Blackhat Briefings Europe 2007, specifically: digitally signed additional payload, use of PRNG for communication and P2P communication.
Payload
Most variants of Conficker will create an HTTP server and then open a random port between 1024 and 10000. If successful exploit, the server will help download a worm copy to the victim's computer. Then, an attack will be launched via botnets.
What do people call it?
Often uses (Click each link to learn about the detection or prevention):
Win32/Conficker.A
Mal/Conficker-A
Trojan.Win32.Agent.bccs (Kaspersky detection Dec\2008)
W32.Downadup.B
Trojan-Downloader.Win32.Agent.aqfw (Kaspersky detection Nov\2008)
W32/Conficker.worm
Win32/Conficker (Microsoft Encyclopedia)
Informational links
REMOVAL
Most computer users, do the following:
Get help in our malware removal forums. This infection is so advanced, it is rather difficult for a normal user to be able to remove this on their own. Please read this over and click here to open a new topic. Note: you must be registered for this site, to post for help. Help to remove this infection and registration for this site is FREE!
Much advanced computer users, do the following:
Removal instructions:
To remove Win32.Worm.Downadup.Gen:
* disable System Restore
* unplug network cable from infected machine
* download MS08-67 vulnerability fix, according to your operating system version from the following url: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
* run BitDefender removal tool: http://www.bitdefender.com/VIRUS-1000462-en--Win32.Worm.Downadup.Gen.html
* restart computer
* plug in your network cable
* Do a full virus scan
Given the fact that the malware blocks the removal tool by name, simply renaming our previous removal tool to anything else except bd_rem_tool would bypass the blocking algorithm.
(Source: http://www.bitdefender.com/VIRUS-1000462-en--Win32.Worm.Downadup.Gen.html)
Other Technical Information:
Domains
Most variants are using these hash tags for the core file included in every infection (per my test):
MD5: d9cb288f317124a0e63e3405ed290765
SHA1: 5815b13044fc9248bf7c2dba771f0e6496d9e536
MD5: a246aee33809bc7e73fa68ba7d66dcab
SHA1: c41f62f35e080c30b28597f046c92f6403bdb2b5
MD5: dceedf7e7299acc12c54efbb0dd6ff08
SHA1: 784388776edeed5c270a849a175760318c7d7971
MD5: f0f2d2f95f7cd6784765c237373e6623
SHA1: 40643d71eeaf63932361bb88e9ca3ed510d46c2d
MD5: 58031b1981fa25d1ff7448253e5a82aa
SHA1: a3bbd73f65e91718ad09a09e7f5cd48ecea08e23
MD5: 0da938c05bdda22ccbbd16f4ad2bbf69
SHA1: 0e01e490fedfe115861631a5c761890c5179706a
MD5: adcde9d4a4e2135871b11c1dc9e1ad0e
SHA1: 19db0519a1df601939028c2f0e8d886069d8a332
MD5: 7699743e66a7260166a5249b84af49ff
SHA1: f3f938abdbb3aa28f9ad4338a8e3a6a8ee40ab98
MD5: a84ab64899e079b534c93642f61ba6b7
SHA1: afdfb3a2e806836a3f50b39a7a3941421a110b94
MD5: 8594d08a67bd1e9490783e8aa0b63c8d
SHA1: 98adde47df304156f1a080aa7973e00fb443fa31
MD5: 4cb5d06de37a5e7b36806cae197907ca
SHA1: eec3216243b69d6b2ab2e1d6bfa840b9b13352e1
MD5: 6ec01d8c5bd7092d30a4d245163c1436
SHA1: f228d88b8fd3fa5e225828a123ca16546f5fbd38
MD5: 4dd32a7ad031fa6398618271bb6e3bba
SHA1: 021ffe96adc8092eb157555deee90c955afa6442
MD5: ef87b673c8e3b77bdf2342e42e1b5f0c
SHA1: 417935c909a38d65b28c39f5e5455852ab739c2c
MD5: 677daa8bf951ecce8eae7d7ee0301780
SHA1: 879e553b472242f3ec5a7f9698bb44cad472ff3b
MD5: b0a258511e6afcf4587845745c65bf9d
SHA1: 8e1f19efac3c22a3d23c77f5e51388be13b66273
MD5: 87136c488903474630369e232704fa4d
SHA1: c2a8998f34fb6fe505635e0ac352ce2838a3aca6
MD5: 060dc978741e7ff27686ca8885802623
SHA1: 4e32ff1cf3243ce56ff278cc0924b601784463d1
MD5: 2acd071d5adbec652e71254f5e02c337
SHA1: 0adb220805f2a5e41c5c69f164f66defa891f05e
MD5: 7d9542ef7c46ed5e80c23153dd5319f2
SHA1: f49fa573a973500d37df219d6055fd4a50f7931f
MD5: c3852074ee50da92c2857d24471747d9
SHA1: 7910076ec1e60326409408fc042c89e96aefefa1
MD5: 3291e1603715c47a23b60a8bf2ca73db
SHA1: 41531fa6b5086e9150b57256efbcd47d7c05cd53
MD5: 73f207fac756536ba54325a14ecef9af
SHA1: ba231122e4ae036846eb7f47a9d77434b99b8f26
MD5: 1118b1907c7e460e689b61b6f5d05905
SHA1: 92bafcf16afe5b42afdd0f29ad369c9f7f239d26
MD5: 8c9367b7dc43dadaa3ec9da767c586cf
SHA1: 5fd0af3aac0c54d4858a50f0e62d6b5a2035d97a
MD5: 4fbcfb9557656c96edb479e30eef2fb3
SHA1: 907b36f59ca2b0eef3244ed230620c4dcf094d8e
MD5: ef87b673c8e3b77bdf2342e42e1b5f0c
SHA1: 417935c909a38d65b28c39f5e5455852ab739c2c
Note: there are over 500 more hash tags, but the ones above are considered the most detected. Search anyone in a search engine to find out the detection and prevention of Conficker.
Information provided by DragonMaster Jay, malware researcher
Introduction
Conficker, is a computer worm and trojan horse (and sometimes considered a virus) that surfaced sometime around November 21st, 2008 with Conficker.A. The worm exploits a known vulnerability (Microsoft Bulletin MS08-067) in the Windows Server Service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 7 Beta.
How does it operate?
The Conficker worm spreads itself primarily through a buffer overflow vulnerability in the Server Service on Windows computers. Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting. The worm uses a specially crafted RPC request to execute code on the target computer. The worm also attaches itself to certain Windows processes such as svchost.exe, explorer.exe and services.exe - then resets System Restore points to make it impossible to go back to a previous state. Then, dials in to its server or peer to request an update and to download more malicious software on to the victims machine. According to the Conficker Working Group, the worm seems to implement some of the ideas presented by Fucs, Paes de Barros e Pereira at the Blackhat Briefings Europe 2007, specifically: digitally signed additional payload, use of PRNG for communication and P2P communication.
Payload
Most variants of Conficker will create an HTTP server and then open a random port between 1024 and 10000. If successful exploit, the server will help download a worm copy to the victim's computer. Then, an attack will be launched via botnets.
What do people call it?
- Technical security descriptors:
- TA08-297A
- CVE-2008-4250
- VU827267
Informational links
- Original Security Bulletin - Basic Bulletin about the threat and the Security update(s) used to address this worm.
- Critical Alert - Also symptom information - You may check your symptoms here
- Threat Information - Advanced information
- Conficker Eye Chart
- Scan now for Conficker - Instant Results
REMOVAL
Most computer users, do the following:
Get help in our malware removal forums. This infection is so advanced, it is rather difficult for a normal user to be able to remove this on their own. Please read this over and click here to open a new topic. Note: you must be registered for this site, to post for help. Help to remove this infection and registration for this site is FREE!
Much advanced computer users, do the following:
Removal instructions:
To remove Win32.Worm.Downadup.Gen:
* disable System Restore
* unplug network cable from infected machine
* download MS08-67 vulnerability fix, according to your operating system version from the following url: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
* run BitDefender removal tool: http://www.bitdefender.com/VIRUS-1000462-en--Win32.Worm.Downadup.Gen.html
* restart computer
* plug in your network cable
* Do a full virus scan
Given the fact that the malware blocks the removal tool by name, simply renaming our previous removal tool to anything else except bd_rem_tool would bypass the blocking algorithm.
(Source: http://www.bitdefender.com/VIRUS-1000462-en--Win32.Worm.Downadup.Gen.html)
Other Technical Information:
- Port activity
- Port 445/TCP scanning (A/
- High-port TCP and UDP P2P Activity