More on conficker

Once executed, the worm copies itself as the following file:
%System%\[RANDOM FILE NAME].dll

Next, the worm deletes any user-created System Restore points.

It creates the following service:
Name: netsvcs
ImagePath: %SystemRoot%\\system32\\svchost.exe -k netsvcs

Then the worm creates the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\"ServiceDll" = "[PathToWorm]"

The worm connects to the following URLs to obtain IP address of the compromised computer:

* http://www.getmyip.org
* http://getmyip.co.uk
* http://checkip.dyndns.org

Full writeup:
http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=2
====

My worry here, it creates that netsvcs service, but that's legit, so killing the service to (try) and stop the worm will more than likely kill the machine along with it.

............................................................................................
Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
More on conficker DXwU4

More on conficker

descriptionMore on conficker4th February 2009, 2:53 pm

More on conficker4th February 2009, 2:53 pm