Worm:Win32/Conficker

Original issue date: November 28, 2008

Updated: January 07, 2009; January 12, 2009; January 21, 2009

Win32/Confickeris a worm that spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability ( CVE-2008-4250 / CIVN-2008-170 ). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled.

Once installed and active, the worm opens and listens for connection attempts on a randomly chosen port between 1024 and 10000 and bypasses Windows firewall using APIs. The worm instructs the target computer to download a copy of the worm from the host computer via HTTP protocol using the random port opened by the worm. Once a machine has been infected the worm will patch the exploited function via a simple code hook in order to prevent re-infecting a machine it has already compromised.

Win32/Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting and Internet connection sharing service.

Some of the variants can also spread through corporate networks by infecting USB sticks and accessing weak passwords.

It propogates by creating an autorun.inf file on all mapped drives so that it automatically executed as soon as the drive becomes accessible.

Screenshot of the autorun.inf file is pictured below(source :SANS)

Up on execution the autoplay window will pop up as given below:

The first part, "Install or run program" is there because the autorun.inf file containing the shellexecute keyword. However, the text comes from the Action keyword and the icon is extracted from shell32.dll (the 4th icon in the file) which is the standard folder icon which will run the worm

The worm also monitors DNS requests to domains containing certain strings and blocks access to those domains so that it will appear that the network request timed out thereby restricting users from updating their security software from those websites.

Aliases W32.Downadup (Symantec) W32/Downadup.A (F-Secure) Conficker.A (Panda Software) I-Worm.Kido(quick heal)

Upon execution the Worm :

Copies itself as the following file: %System%\[RANDOM FILE NAME].dll
Deletes any user-created System Restore points
Searches for the Windows executable 'services.exe' and will inject itself into it
Creates the service “netsvcs “ with ImagePath: %SystemRoot%\\system32\\svchost.exe -k netsvcs
Adjusts the file time of the dropped DLL worm copy to the same as the system's kernel32.dll file time to mask forensic evidence of infection time
Modify the registry to execute the dropped DLL worm copy as a service

HKLM\SYSTEM\CurrentControlSet\Services\vcdrlxeu\"DisplayName"=0

HKLM\SYSTEM\ControlSet001\Services\vcdrlxeu\ Parameters\"ServiceDll"="<system folder>\nxyme.dll"

Downloads a file from the following URL and executes it: [http://]trafficconverter.biz/4vir/antispyware/loada

[REMOVED]

Queries following URLs to determine the computer's geographic location:

o getmyip.org o getmyip.co.uk o checkip.dyndns.org

Connects to a UPnP router and opens the http port and attempts to locate the network device registered as the Internet gateway on the network and opens the previously mentioned [RANDOM PORT] in order to allow access to the compromised computer from external networks.

Attempts to download a data file from the following URL: [http://]www.maxmind.com/download/geoip/database/GeoIP.[REMOVED]

Attempts to contact the following sites to obtain the current date:

o http://www.w3.org

o http://www.ask.com

o http://www.msn.com

o http://www.yahoo.com

o http://www.google.com

o http://www.baidu.com

It uses the date information to generate a list of domain names and contacts these domains in an attempt to download additional files onto the compromised computer.

In view of rapid propagation of the Conficker Worm, users are advised to implement the following countermeasures :

Delete file created by the worm
Delete the registry entries made by the Worm mentioned above
Apply appropriate patches as mentioned in CERT-In (CIVN-2008-170)
Disable autoplay/autorun features on all drives and devices. Refer the following articles for relevant steps and patches:

http://support.microsoft.com/kb/953252

http://www.us-cert.gov/cas/techalerts/TA09-020A.html

Block access to the sites mentioned here at the perimeter
Block ports 139 and 445 at the perimeter.
Install and maintain updated anti-virus software at gateway and desktop level
Install and maintain Desktop Firewall and block the ports which are not required
Use caution when opening attachments and accepting file transfers
Use caution when clicking on links to web pages

Free Removal Tools:

http://support.microsoft.com/kb/962007

ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip

http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99

References

http://www.microsoft.com/security/portal/Entry.aspx?

Name=Worm%3aWin32%2fConficker.A

http://www.threatexpert.com/reports.aspx?find=W32.Downadup+&x=0&y=0

http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx

http://www.cert-in.org.in/vulnerability/civn-2008-170.htm

http://www.cert-in.org.in/currentacts/currentact07.htm#TGAM

http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=75911