Undergoing MyBlogLog Verification

Wednesday, January 21, 2009

Conficker - Downadup

Conficker or Downadup : Removal Tool

Overview -

This detection is for a worm that exploits the MS08-067 vulnerability in order to spread. It may also download and execute various files onto the affected system.

Aliases

  • Worm:Win32/Conficker.A (Microsoft)
  • Crypt.AVL (AVG)
  • Mal/Conficker-A (Sophos)
  • Trojan.Win32.Pakes.lxf (F-Secure)
  • Trojan.Win32.Pakes.lxf (Kaspersky)
  • W32.Downadup (Symantec)
  • Worm:Win32/Conficker.B (Microsoft)
  • WORM_DOWNAD.A (Trend Micro)

Characteristics

Characteristics -

When executed, the worm copies itself using a random name to the %Sysdir% folder.

(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)

It modifies the following registry key to create a randomly-named service on the affected syetem:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\"ServiceDll" = "Path to worm"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs

Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer.

  • hxxp://www.getmyip.org
  • hxxp://getmyip.co.uk
  • hxxp://checkip.dyndns.org
  • hxxp://whatsmyipaddress.com

Attempts to download a malware file from the remote website: (Rogue Russian site is up but not serving file anymore)

  • hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe


Starts a HTTP server on a random port on the infected machine to host a copy of the worm.

Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.

Later variants of w32/Conficker.worm are using scheduled tasks and Autorun.inf file to replicate on to non vulnerable systems or to reinfect previously infected systems after they have been cleaned.

Symptoms

Symptoms -

This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Users being locked out of directory

Access to admin shares denied

Scheduled tasks being created

Access to security related web sites is blocked.

Method of Infection

Method of Infection -

This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate.

Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.

Upon detection of this worm the system should be rebooted to clean memory correctly. May require more that one reboot.

Scheduled tasks have been seen to be created on the system to re-activate the worm.

Autorun.inf files have been seen to be used to re-activate the worm

Download Removal Tool

Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)