Discovered: November 21, 2008
Updated: November 24, 2008 9:37:07 AM
Also Known As: Win32/Conficker.A [Computer Associates], W32/Downadup.A [F-Secure], Conficker.A [Panda Software], Net-Worm.Win32.Kido.bt [Kaspersky]
Type: Worm
Infection Length: 62,976 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
Once executed, the worm copies itself as the following file: %System%\[RANDOM FILE NAME].dll
Next, the worm deletes any user-created System Restore points.
It creates the following service:
Name: netsvcs
ImagePath: %SystemRoot%\\system32\\svchost.exe -k netsvcs
Then the worm creates the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\"ServiceDll" = "[PathToWorm]"
The worm connects to the following URLs to obtain IP address of the compromised computer:
http://www.getmyip.org
http://getmyip.co.uk
http://checkip.dyndns.org
Next, the worm downloads a file from the following URL and executes it:
[http://]trafficconverter.biz/4vir/antispyware/loada[REMOVED]
The worm then creates a http server on the compromised computer on a random port, for example:
http://[EXTERNAL IP ADDRESS OF INFECTED MACHINE]:[RANDOM PORT]
The worm then sends this URL as part of its payload to remote computers.
Upon successful exploitation, the remote computer will then connect back to this URL and download the worm.
In this way, each exploited computer can spread the worm itself, as opposed to downloading from a predetermined location.
Next, the worm connects to a UPnP router and opens the http port.
It then attempts to locate the network device registered as the Internet gateway on the network and opens the previously mentioned [RANDOM PORT] in order to allow access to the compromised computer from external networks.
The worm then attempts to download a data file from the following URL:
[http://]www.maxmind.com/download/geoip/database/GeoIP.[REMOVED]
The worm spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874).
Next, the worm attempts to contact the following sites to obtain the current date:
http://www.w3.org
http://www.ask.com
http://www.msn.com
http://www.yahoo.com
http://www.google.com
http://www.baidu.com
It uses the date information to generate a list of domain names.
The worm then contacts these domains in an attempt to download additional files onto the compromised computer.
Once executed, the worm copies itself as the following file: %System%\[RANDOM FILE NAME].dll
Next, the worm deletes any user-created System Restore points.
It creates the following service:
Name: netsvcs
ImagePath: %SystemRoot%\\system32\\svchost.exe -k netsvcs
Then the worm creates the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\"ServiceDll" = "[PathToWorm]"
The worm connects to the following URLs to obtain IP address of the compromised computer:
http://www.getmyip.org
http://getmyip.co.uk
http://checkip.dyndns.org
Next, the worm downloads a file from the following URL and executes it:
[http://]trafficconverter.biz/4vir/antispyware/loada[REMOVED]
The worm then creates a http server on the compromised computer on a random port, for example:
http://[EXTERNAL IP ADDRESS OF INFECTED MACHINE]:[RANDOM PORT]
The worm then sends this URL as part of its payload to remote computers.
Upon successful exploitation, the remote computer will then connect back to this URL and download the worm.
In this way, each exploited computer can spread the worm itself, as opposed to downloading from a predetermined location.
Next, the worm connects to a UPnP router and opens the http port.
It then attempts to locate the network device registered as the Internet gateway on the network and opens the previously mentioned [RANDOM PORT] in order to allow access to the compromised computer from external networks.
The worm then attempts to download a data file from the following URL:
[http://]www.maxmind.com/download/geoip/database/GeoIP.[REMOVED]
The worm spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874).
Next, the worm attempts to contact the following sites to obtain the current date:
http://www.w3.org
http://www.ask.com
http://www.msn.com
http://www.yahoo.com
http://www.google.com
http://www.baidu.com
It uses the date information to generate a list of domain names.
The worm then contacts these domains in an attempt to download additional files onto the compromised computer.
No hay comentarios:
Publicar un comentario