Home / malwarePDF  

Worm:Win32/Conficker.E


First posted on 16 April 2009.
Source: SecurityHome

Aliases :

Worm:Win32/Conficker.E is also known as Also Known As:Win32/Conficker.worm.119296 (AhnLab), Win32.Worm.Downadup.A (BitDefender), Win32/Conficker.A (CA), W32/Conficker.G (Authentium (Command)), Win32/Conficker.AQ (ESET), Trojan-Dropper.Win32.Kido.o (Kaspersky), Net-Worm.Win32.Kido.js (Kaspersky), W32/Conficker.worm.gen.d (McAfee), W32/Confick-D (Sophos), W32.Downadup (Symantec), Trojan.DR.Kido.CE (VirusBuster), Worm:Win32/Conficker.gen!A (Microsoft).

Explanation :

Worm:Win32/Conficker.E is a member of the Win32/Conficker family and was proactively detected when first discovered as Worm:Win32/Conficker.gen!A. Conficker.E infects other computers across a network by exploiting a vulnerability in the Windows Server service (srvsvc). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. Conficker.E may be installed by previous variants of Win32/Conficker. This variant deletes its own executable on May 3 2009. Microsoft strongly recommends that users apply the update referred to in Security Bulletin MS08-067 immediately. Microsoft also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords. More information is available here.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The lack of response from, or the termination of, the following services:
  • Windows Security Center Service (wscsvc) – notifies users of security settings (e.g. Windows update, Firewall and Antivirus)
  • Windows Update Auto Update Service (wuauserv)
  • Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
  • Windows Defender (WinDefend)
  • Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
  • Windows Error Reporting Service (wersvc)
  • Users may not be able to run applications containing the following strings:

    autoruns
    avenger
    bd_rem
    cfremo
    confick
    downad
    dwndp
    filemon
    gmer
    hotfix
    kb890
    kb958
    kido
    kill
    klwk
    mbsa.
    mrt.
    mrtstub
    ms08
    ms09
    procexp
    procmon
    regmon
    scct_
    stinger
    sysclean
    tcpview
    unlocker
    wireshark
  • Users may not be able to browse certain security-related Web sites with URLs that contain any of the following strings:
    • activescan
    adware
    agnitum
    ahnlab
    anti-
    antivir
    arcabitav-scavast
    avgate
    avirabdtoolsbothunter
    castlecops
    ccollomb
    centralcommand
    clamav
    comodo
    computerassociates
    confick
    coresecurcpsecure
    cyber-ta
    defender
    downad
    doxparadrweb
    dslreports
    emsisoft
    enigmaesafe
    eset
    etrust
    ewido
    f-prot
    f-securefortinet
    free-av
    freeav
    fsecuregdata
    grisoft
    hackerwatch
    hacksoft
    hauri
    honeyikarus
    insecure.
    iv.cs.unijottik7computing
    kaspersky
    kido
    malware
    mcafee
    microsoft
    miragemitre.
    ms-mvpmsftncsi
    msmvps
    mtc.sri
    ncirclenetworkassociates
    nmap.nod32
    norman
    nortononecare
    panda
    pctoolsprecisesecurityprevx
    ptsecurity
    qualysquickheal
    removal
    rising
    rootkit
    safety.live
    secuniasecurecomputing
    secureworks
    snortsophos
    spamhaus
    spyware
    staysafesunbelt
    symantec
    technet
    tenablesethreat
    threatexpert
    trendmicro
    trojan
    virscan
    virus
    wilderssecurity
    windowsupdate
  • Users may experience a Web browser time-out error when attempting to access URLs containing the following strings:

    avg.
    avp.
    bit9.
    ca.
    cert.
    gmer.
    kav.
    llnw.
    llnwd.
    msdn.
    msft.
    nai.
    sans.
    vet.


    • Worm:Win32/Conficker.E is a member of the Win32/Conficker family and was proactively detected when first discovered as Worm:Win32/Conficker.gen!A. Conficker.E infects other computers across a network by exploiting a vulnerability in the Windows Server service (srvsvc). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. Conficker.E may be installed by previous variants of Win32/Conficker. This variant deletes its own executable on May 3 2009.

    Installation
    Worm:Win32/Conficker.E consists of three components:
  • .EXE executable (detected as Worm:Win32/Conficker.E) - contains exploit code and spreading mechanism
  • .DLL dropper (detected as Worm:Win32/Conficker.E) - loaded and decrypted by .EXE, drops another .DLL
  • .DLL component (detected as Worm:Win32/Conficker.E.dll) - .DLL dropped by aforementioned .DLL. This component contains the worm's payload (see below for additional detail).
    • When Conficker.E's executable is run, it drops and runs a .DLL that drops a further .DLL. The registry is not modified to execute the main executable component and the main EXE does not execute at each Windows start.Spreads Via...Network Shares with Weak PasswordsWorm:Win32/Conficker.E attempts to infect machines within the network. It attempts to drop a copy of itself in a target machine's ADMIN$ share using the credentials of the currently logged-on user. Exploit - MS08-067Win32/Conficker.E spreads to systems that are not yet patched against a vulnerability in the Windows Server service (srvsvc). The vulnerability is documented in Microsoft Security Bulletin MS08-067. If the vulnerability is successfully exploited, the worm instructs the target computer to download a copy of the worm from the host computer via HTTP protocol using a TCP port (between 1024 and 9999) opened by the worm. The DLL component - Win32/Conficker.E.dll - patches the API NetpwPathCanonicalize in the DLL NETAPI32.DLL to prevent the vulnerability from being further exploited by other remote agents.

    Payload
    Worm:Win32/Conficker.E drops and executes an embedded DLL component (detected as Worm:Win32/Conficker.E.dll) that performs several of the following actions. Modifies System Settings - Patches TCP/IP DriverWin32/Conficker.E patches the TCP/IP driver 'tcpip.sys' in memory to increase and maximize the number of connections allowed (connection limit) on the infected computer. The worm uses this method of patching to bypass Windows File Protection. Terminates ServicesWin32/Conficker.E.dll terminates several important system services, such as the following:
  • Windows Security Center Service (wscsvc) – notifies users of security settings (e.g. Windows update, Firewall and Antivirus)
  • Windows Update Auto Update Service (wuauserv)
  • Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
  • Windows Defender (WinDefend)
  • Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
  • Windows Error Reporting Service (wersvc)
    • Terminates ProcessesWin32/Conficker.E.dll polls the process list every one second for these strings and, if found, terminates them: autoruns - "Autoruns" program
    avenger - kernel-mode security programbd_rem - "bd_rem_tool_console.exe" & "bd_rem_tool_gui.exe" programscfremo - Enigma Software "cfremover.exe" program
    confick - Presumably targeting Conficker removal tools
    downad - Presumably targeting Conficker removal toolsdwndp - Symantec tool "fixdwndp.exe"
    filemon - "File Monitor" program
    gmer - rootkit detection program
    hotfix - security update
    kb890 - Microsoft KB article, includes MSRT
    kb958 - Microsoft KB article, includes MS08-067
    kido - taken from the name 'Kido', another 'Conficker' alias
    kill - utility used to terminate other processes
    klwk - Kaspersky programmbsa. - "Microsoft Baseline Security Analyzer" program
    mrt. - "Microsoft Malicious Software Removal Tool" program
    mrtstub - "Microsoft Malicious Software Removal Tool" program
    ms08 - Microsoft Security Updates released in 2008ms09 - Microsoft Security Updates released in 2009
    procexp - "Process Explorer" program
    procmon - "Process Monitor" program
    regmon - "Registry Monitor" program
    scct_ - Sophos Conficker Cleanup toolstinger - McAfee tool
    sysclean - Trend Micro tool
    tcpview - tool used to view TCP connection and traffic
    unlocker - tool used to unlock locked files or folders
    wireshark - network protocol analyzer tool Blocks Access to Particular Websites/IP RangesWin32/Conficker.E blocks access to domains in certain IP ranges. In addition, the worm hooks DNSAPI.DLL to prevent access to Web sites containing the following strings in the URL: activescan
    adware
    agnitum
    ahnlab
    anti-
    antivir
    arcabitav-scavast
    avgate
    avirabdtoolsbothunter
    castlecops
    ccollomb
    centralcommand
    clamav
    comodo
    computerassociates
    confick
    coresecurcpsecure
    cyber-ta
    defender
    downad
    doxparadrweb
    dslreports
    emsisoft
    enigmaesafe
    eset
    etrust
    ewido
    f-prot
    f-securefortinet
    free-av
    freeav
    fsecuregdata
    grisoft
    hackerwatch
    hacksoft
    hauri
    honeyikarus
    insecure.
    iv.cs.unijottik7computing
    kaspersky
    kido
    malware
    mcafee
    microsoft
    miragemitre.
    ms-mvpmsftncsi
    msmvps
    mtc.sri
    ncirclenetworkassociates
    nmap.nod32
    norman
    nortononecare
    panda
    pctoolsprecisesecurityprevx
    ptsecurity
    qualysquickheal
    removal
    rising
    rootkit
    safety.live
    secuniasecurecomputing
    secureworks
    snortsophos
    spamhaus
    spyware
    staysafesunbelt
    symantec
    technet
    tenablesethreat
    threatexpert
    trendmicro
    trojan
    virscan
    virus
    wilderssecurity
    windowsupdate Worm:Win32/Conficker.E.dll may cause browser time-outs when a user attempts to access Web sites with URLs containing any of the following strings: avg.
    avp.
    bit9.
    ca.
    cert.
    gmer.
    kav.
    llnw.
    llnwd.
    msdn.
    msft.
    nai.
    sans.
    vet. Distributes and Receives Remote Commands Via Distributed P2P NetworkWorm:Win32/Conficker.E can distribute and receive commands from other computers infected by particular Win32/Conficker variants via a built-in peer-to-peer (P2P) network. This mechanism could be used to distribute additional malware to and from infected machines. To connect to other infected computers, Win32/Conficker.E opens four ports on each available network interface. It opens two TCP and two UDP ports. The port numbers of the first TCP and UDP ports are calculated based on the IP address of the network interface. The second TCP and UDP ports are calculated based on the IP address of the network interface as well as the current week, leading to this second set of ports to change on a weekly basis. In short, while the first set of ports is constant and remain open week after week, the second set changes weekly. When computing for the current week, Win32/Conficker.E attempts to determine the time in GMT so that all port changes occur at the same time. Both TCP listening ports behave in an identical fashion, as do both UDP listening ports. These ports are used by an infected computer to communicate with other computers also infected with Win32/Conficker.Additional InformationWin32/Conficker.E executes a self-termination routine when the date is May 3 2009. The worm deletes its main executable component on this date however the DLL payload component (detected Worm:Win32/Conficker.E.dll) remains to continue participating in P2P communication among infected peers. Win32/Conficker.E periodically checks for Internet connectivity by connecting to the following websites: www.aol.com
    www.cnn.com
    www.ebay.com
    www.msn.com
    www.myspace.com Win32/Conficker.E also periodically connects to one of the following sites (at random) to determine its external IP address: checkip.dyndns.org
    checkip.dyndns.com
    www.myipaddress.com
    www.findmyipaddress.com
    www.ipaddressworld.com
    www.findmyip.com
    www.ipdragon.com
    www.whatsmyipaddress.com

    Analysis by Aaron Putnam

    Last update 16 April 2009

     

    TOP

    Malware :

    Family: