Home / malware Worm:Win32/Conficker.E.dll
First posted on 24 April 2009.
Source: SecurityHomeAliases :
Worm:Win32/Conficker.E.dll is also known as Also Known As:Win32/Downadup.worm.87040 (AhnLab), Trojan-Downloader.Win32.Kido.ab (Kaspersky), W32/Malware.GFFJ (Norman), Troj/ConfDr-C (Sophos), Win32/Conficker.AQ (ESET), Win32/Conficker.D (), W32.Downadup.C (Symantec).
Explanation :
Worm:Win32/Conficker.E.dll is a component of the Win32/Conficker family. It is installed to machines already infected with Conficker.B, .C, or .D variants as an update via Worm:Win32/Conficker.E’s payload. Microsoft strongly recommends that users apply the update referred to in Security Bulletin MS08-067 immediately.
Symptoms
System ChangesThe following system changes may indicate the presence of this malware:The lack of response from, or the termination of, the following services: Windows Security Center Service (wscsvc) – notifies users of security settings (e.g. Windows update, Firewall and Antivirus) Windows Update Auto Update Service (wuauserv) Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth Windows Defender (WinDefend) Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience Windows Error Reporting Service (wersvc) Users may not be able to run applications containing the following strings:
autoruns
avenger
bd_rem
cfremo
confick
downad
dwndp
filemon
gmer
hotfix
kb890
kb958
kido
kill
klwk
mbsa.
mrt.
mrtstub
ms08
ms09
procexp
procmon
regmon
scct_
stinger
sysclean
tcpview
unlocker
wiresharkUsers may not be able to browse certain security-related Web sites with URLs that contain any of the following strings:
activescan
adware
agnitum
ahnlab
anti-
antivir
arcabit
av-sc
avast
avgate
avira
bdtools
bothunter
castlecops
ccollomb
centralcommand
clamav
comodo
computerassociates
confick
coresecur
cpsecure
cyber-ta
defender
downad
doxpara
drweb
dslreports
emsisoft
enigma
esafe
eset
etrust
ewido
f-prot
f-secure
fortinet
free-av
freeav
fsecure
gdata
grisoft
hackerwatch
hacksoft
hauri
honey
ikarus
insecure.
iv.cs.uni
jotti
k7computing
kaspersky
kido
malware
mcafee
microsoft
mirage
mitre.
ms-mvp
msftncsi
msmvps
mtc.sri
ncircle
networkassociates
nmap.
nod32
norman
norton
onecare
panda
pctools
precisesecurity
prevx
ptsecurity
qualys
quickheal
removal
rising
rootkit
safety.live
secunia
securecomputing
secureworks
snort
sophos
spamhaus
spyware
staysafe
sunbelt
symantec
technet
tenablese
threat
threatexpert
trendmicro
trojan
virscan
virus
wilderssecurity
windowsupdateUsers may experience a Web browser time-out error when attempting to access URLs containing the following strings:
avg.
avp.
bit9.
ca.
cert.
gmer.
kav.
llnw.
llnwd.
msdn.
msft.
nai.
sans.
vet.
Worm:Win32/Conficker.E.dll is a component of the Win32/Conficker family. It is installed to machines already infected with Conficker.B, .C, or .D variants as an update via Worm:Win32/Conficker.E’s payload.
Installation
Win32/Conficker.E.dll is delivered by Worm:Win32/Conficker.E to systems that are already infected by Conficker and as yet unpatched against a vulnerability in the Windows Server service (srvsvc). The vulnerability is documented in Microsoft Security Bulletin MS08-067. Worm:Win32/Conficker.E checks if targets are already infected by the .B, .C or .D Conficker variants by first checking the result from the API NetpwPathCanonicalize in 'netapi32.dll'. If the target is already infected, and the vulnerability is successfully exploited, Worm:Win32/Conficker.E instructs the target computer to download a dropper DLL (also detected as Worm:Win32/Conficker.E.dll) from the host computer via HTTP protocol using a TCP port (between 1024 and 9999) opened by the worm. The dropper DLL then drops and loads the second DLL (detected as Worm:Win32/Conficker.E.dll). When this second DLL is loaded, it attempts to copy itself to the local machine using a file name that is constructed from a hash of the affected machine's computer name. The file name appears as a string of 5-9 lowercase letters, with a .dll file extension - for example 'xhyngr.dll'. The DLL attempts to copy itself to the following locations, in the following order:System folder (typical path: C:WindowsSystem32) One of the following 4 folders under the %ProgramFiles% folder:
"Movie Maker"
"Internet Explorer"
"Windows Media Player"
"Windows NT"%Application Data% folder (typical path: C:Documents and SettingsUsernameApplication Data ) The %temp% folder Once successfully copied to one of these locations, Worm:Win32/Conficker.E.dll does not attempt to copy itself further to the other locations. Worm:Win32/Conficker.E.dll then modifies the following registry entries to ensure that it is loaded at each Windows start (for example):
Adds value: "<random alphabetic string>"
With data: "rundll32 "<malware file name> .dll",<random alphabetic string>"
To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun Adds value: "<random alphabetic string>"
With data: "rundll32 "<malware file name> .dll",<random alphabetic string>"
To subkey:HKCUSoftwareMicrosoftWindowsCurrentVersionRun Win32/Conficker.E.dll also patches the NetpwPathCanonicalize API in the file 'netapi32.dll' to prevent the vulnerability from being further exploited by other remote agents.
Payload
Terminates ServicesWin32/Conficker.E.dll terminates several important system services, such as the following:Windows Security Center Service (wscsvc) – notifies users of security settings (e.g. Windows update, Firewall and Antivirus) Windows Update Auto Update Service (wuauserv) Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth Windows Defender (WinDefend) Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience Windows Error Reporting Service (wersvc) Terminates ProcessesWin32/Conficker.E.dll polls the process list every one second for these strings and, if found, terminates them: autoruns - "Autoruns" program
avenger - kernel-mode security program
bd_rem - "bd_rem_tool_console.exe" & "bd_rem_tool_gui.exe" programs
cfremo - Enigma Software "cfremover.exe" program
confick - Presumably targeting Conficker removal tools
downad - Presumably targeting Conficker removal tools
dwndp - Symantec tool "fixdwndp.exe"
filemon - "File Monitor" program
gmer - rootkit detection program
hotfix - security update
kb890 - Microsoft KB article, includes MSRT
kb958 - Microsoft KB article, includes MS08-067
kido - taken from the name 'Kido', another 'Conficker' alias
kill - utility used to terminate other processes
klwk - Kaspersky program
mbsa. - "Microsoft Baseline Security Analyzer" program
mrt. - "Microsoft Malicious Software Removal Tool" program
mrtstub - "Microsoft Malicious Software Removal Tool" program
ms08 - Microsoft Security Updates released in 2008
ms09 - Microsoft Security Updates released in 2009
procexp - "Process Explorer" program
procmon - "Process Monitor" program
regmon - "Registry Monitor" program
scct_ - Sophos Conficker Cleanup tool
stinger - McAfee tool
sysclean - Trend Micro tool
tcpview - tool used to view TCP connection and traffic
unlocker - tool used to unlock locked files or folders
wireshark - network protocol analyzer tool Blocks Access to Particular Web sites/IP RangesWin32/Conficker.E.dll blocks access to domains in certain IP ranges. In addition, the worm hooks 'dnsapi.dll' to prevent access to Web sites containing the following strings in the URL: activescan
adware
agnitum
ahnlab
anti-
antivir
arcabit
av-sc
avast
avgate
avira
bdtools
bothunter
castlecops
ccollomb
centralcommand
clamav
comodo
computerassociates
confick
coresecur
cpsecure
cyber-ta
defender
downad
doxpara
drweb
dslreports
emsisoft
enigma
esafe
eset
etrust
ewido
f-prot
f-secure
fortinet
free-av
freeav
fsecure
gdata
grisoft
hackerwatch
hacksoft
hauri
honey
ikarus
insecure.
iv.cs.uni
jotti
k7computing
kaspersky
kido
malware
mcafee
microsoft
mirage
mitre.
ms-mvp
msftncsi
msmvps
mtc.sri
ncircle
networkassociates
nmap.
nod32
norman
norton
onecare
panda
pctools
precisesecurity
prevx
ptsecurity
qualys
quickheal
removal
rising
rootkit
safety.live
secunia
securecomputing
secureworks
snort
sophos
spamhaus
spyware
staysafe
sunbelt
symantec
technet
tenablese
threat
threatexpert
trendmicro
trojan
virscan
virus
wilderssecurity
windowsupdate Worm:Win32/Conficker.E.dll may cause browser time-outs when a user attempts to access Web sites with URLs containing any of the following strings: avg.
avp.
bit9.
ca.
cert.
gmer.
kav.
llnw.
llnwd.
msdn.
msft.
nai.
sans.
vet. Distributes and Receives Remote Commands Via Distributed P2P NetworkWorm:Win32/Conficker.E.dll can distribute and receive commands from other computers infected by particular Win32/Conficker variants via a built-in peer-to-peer (P2P) network. This mechanism could be used to distribute additional malware to and from infected machines. To connect to other infected computers, Win32/Conficker.E.dll opens four ports on each available network interface. It opens two TCP and two UDP ports. The port numbers of the first TCP and UDP ports are calculated based on the IP address of the network interface. The second TCP and UDP ports are calculated based on the IP address of the network interface as well as the current week, leading to this second set of ports to change on a weekly basis. In short, while the first set of ports is constant and remain open week after week, the second set changes weekly. When computing for the current week, Win32/Conficker.E.dll attempts to determine the time in GMT so that all port changes occur at the same time. Both TCP listening ports behave in an identical fashion, as do both UDP listening ports. These ports are used by an infected computer to communicate with other computers also infected with Win32/Conficker.
Analysis by Aaron PutnamLast update 24 April 2009
