Worm:Win32/Conficker

Win32/Confickeris a worm that spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability ( CVE-2008-4250 / CIVN-2008-170 ). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled.
Once installed and active, the worm opens and listens for connection attempts on a randomly chosen port between 1024 and 10000 and bypasses Windows firewall using APIs. The worm instructs the target computer to download a copy of the worm from the host computer via HTTP protocol using the random port opened by the worm. Once a machine has been infected the worm will patch the exploited function via a simple code hook in order to prevent re-infecting a machine it has already compromised.

Win32/Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting and Internet connection sharing service.

Some of the variants can also spread through corporate networks by infecting USB sticks and accessing weak passwords.

It propogates by creating an autorun.inf file on all mapped drives so that it automatically executed as soon as the drive becomes accessible.

The first part, "Install or run program" is there because the autorun.inf file containing the shellexecute keyword. However, the text comes from the Action keyword and the icon is extracted from shell32.dll (the 4th icon in the file) which is the standard folder icon which will run the worm

The worm also monitors DNS requests to domains containing certain strings and blocks access to those domains so that it will appear that the network request timed out thereby restricting users from updating their security software from those websites.

Aliases
W32.Downadup (Symantec)
W32/Downadup.A (F-Secure)
Conficker.A (Panda Software)
I-Worm.Kido(quick heal)

Upon execution the Worm :

• Copies itself as the following file:  %System%\[RANDOM FILE NAME].dll
• Deletes any user-created System Restore points
• Searches for the Windows executable 'services.exe' and will inject itself into it
• Creates the service “netsvcs “ with ImagePath: %SystemRoot%\\system32\\svchost.exe -k netsvcs
• Adjusts the file time of the dropped DLL worm copy to the same as the system's kernel32.dll file time to mask forensic evidence of infection time
• Modify the registry to execute the dropped DLL worm copy as a service 
  • HKLM\SYSTEM\CurrentControlSet\Services\vcdrlxeu\

• HKLM\SYSTEM\ControlSet001\Services\vcdrlxeu\

• Downloads a file from the following URL and executes it:  [http://]trafficconverter.biz/4vir/antispyware/loada
  [REMOVED]
• Queries following URLs to determine the computer's geographic location: 
  • getmyip.org
    
  • getmyip.co.uk 
  • checkip.dyndns.org
• Connects to a UPnP router and opens the http port and attempts to locate the network device registered as the Internet gateway on the network and opens the previously mentioned [RANDOM PORT] in order to allow access to the compromised computer from external networks.
• Attempts to download a data file from the following URL: [http://]www.maxmind.com/download/geoip/database/GeoIP.[REMOVED]
• Attempts to contact the following sites to obtain the current date:
  
  •  http://www.w3.org 
  •  http://www.ask.com 
  •  http://www.msn.com 
  •  http://www.yahoo.com 
  •  http://www.google.com
    
  •  http://www.baidu.com
• It uses the date information to generate a list of domain names and contacts these domains in an attempt to download additional files onto the compromised computer.
  

• Block access to the sites mentioned here at the perimeter
• Block ports 139 and 445 at the perimeter. 
• Install and maintain updated anti-virus software at gateway and desktop level 
• Install and maintain Desktop Firewall and block the ports which are not required 
• Use caution when opening attachments and accepting file transfers 
• Use caution when clicking on links to web pages
  

Free Removal Tools:

http://support.microsoft.com/kb/962007
ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip
http://www.symantec.com/security_response/writeup.jsp?
docid=2009-011316-0247-99

References

http://www.microsoft.com/security/portal/Entry.aspx?
Name=Worm%3aWin32%2fConficker.A
http://www.threatexpert.com/reports.aspx?find=W32.
Downadup+&x=0&y=0
http://blogs.technet.com/mmpc/archive/2008/11/25/
more-ms08-067-exploits.aspx
http://www.cert-in.org.in/vulnerability/civn-2008-170.htm
http://www.cert-in.org.in/currentacts/currentact07.htm#TGAM
http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=75911
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
http://www.f-secure.com/weblog/archives/00001574.html
http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml
https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/
malicious_code/article-id/224
https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/
malicious_code/article-id/225
http://www.quickheal.co.in/alerts-I-Worm-Kido.asp
http://www.winvistaclub.com/s26.html
http://isc.sans.org/diary.html?storyid=5695
http://www.cnn.com/2009/TECH/ptech/01/16/virus.downadup/
index.html
http://support.microsoft.com/kb/962007

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003