Conficker worm has caused trouble for months since it appeared in November 2008. Security researchers have sent out notice about Conficker.C, the latest variant of notorious worm, which will be significantly harder to be tracked, and removed. Conficker worm is set to be launched on April 1, threatening to make the situation on Fool’s Day not funny at all.
Researchers compare this variant of Conficker worm to HIV in humans. It will attack computers’ immune systems, making them unable to defend.
What makes it particularly nasty is the fact that it blocks security-related websites, especially from Microsoft. It also terminates system security services, copying itself into various Windows folders. All this will make it hard to find and remove from infected PC.
Some will say – all malware does that.
But what makes new Conficker much dangerous than its predecessors? Conficker.C is messing with system attributes, restricting access and privileges to preventing removal from the system.
These are some of the things that Conficker worm does when executed.
Copying Hidden Files
When executed, Win32/Conficker.C (also known as Worm:Win32/Conficker.D, W32/Confick-G or Trojan.Win32.Pakes.ngs) puts a copy of itself using a random filename in the %System% directory. It may also left copies of in the following directories:
%Program Files%Windows NT
%Program Files%Windows Media Player
%Program Files%Internet Explorer
%Program Files%Movie Maker
For these files, Conficker.C worm:
- Sets Read Only, Hidden and System file attributes
- Generates a file creation/access time-stamp based on that of "kernel32.dll"
- Creates access control entries
- Exclusively locks the file, thus restricting access and privileges, and by that removal from the system
Registering a Service
Conficker worm also registers a service with a random name created by combining a one word from this list:
App, Audio, DMER, Event, help, Ias, Ir, Lanman, Net, Ntms, Ras, Remote, Sec, SR, Tapi, Trk, W32, win, Wmdm, Wmi, wsc, wuau, xml
with one of the words from this list:
access, agent, auto, logon, man, mgmt, mon, prov, serv, Server, Service, Srv, srv, svc, Svc, System, Time
or combining the two of following words:
Audit, Backup, Boot, Browser, Center, Component, Config, Control, Discovery, Driver, Framework, Hardware, Helper, Image, Installer, Logon, Machine, Management, Manager, Microsoft, Monitor, Network, Notify, Policy, Power, Security, Shell, Storage, Support, System, Task, Time, Trusted, Universal, Update, Windows
Example: Conficker worm may register a service with these registry entries:
HKLMSYSTEMCurrentControlSetServicesIrSvcDisplayName = "Component Task"
HKLMSYSTEMCurrentControlSetServicesIrSvcType = 00000020
HKLMSYSTEMCurrentControlSetServicesIrSvcStart = 00000002
HKLMSYSTEMCurrentControlSetServicesIrSvcErrorControl = 00000000
HKLMSYSTEMCurrentControlSetServicesIrSvcImagePath = "%Root%system32svchost.exe -k netsvcs"
HKLMSYSTEMCurrentControlSetServicesIrSvcObjectName = "LocalSystem"
HKLMSYSTEMCurrentControlSetServicesIrSvcDescription = "<randomly copied from an existing service with a Startup Type of 2 >"
HKLMSYSTEMCurrentControlSetServicesIrSvcParametersServiceDll = "%System%<worm executable >"
Additionally, Win32/Conficker.C checks for and tries to inject code into any processes executed with the command line parameters "svchost.exe -k NetworkService".
Modifying the Registry and Lowering Security Setings
Next, Conficker.C deletes the following registry entry to deactivate Windows Security Center notifications:
HKLMSoftwareMicrosoftWindowsCurrentVersionexplorerShellServiceObjects{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
It then deletes the registry entry below to prevent the operating system from starting in Safe Mode:
HKLMSYSTEMCurrentControlSetControlSafeBoot
Additionally, Conficker worm deletes the registry entry to prevent "Windows Defender" from executing on system start:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunWindows Defender
Deleting Restore Points
As said above Conficker resets all system restore points and deletes any saved system restore points on the affected system.
Disabling Services
Conficker.C worm disables the following services if running:
wscsvc - Security Center
WinDefend - Windows Defender (in Vista)
wuauserv - Automatic Updates
BITS - Background Intelligent Transfer Service
ERSvc - Error Reporting Service
WerSvc - Windows Error Reporting Service (in Vista)
Disables Security Updates
As said above Conficker terminates the following security-related processes and hooks the following APIs to monitor and restrict access to security websites:
Query_Main
DnsQuery_W
DnsQuery_UTF8
DnsQuery_A
sendto
In its attempt to prevent access to security-related sites the worm attempts to block running applications from accessing URLs containing any of the strings that AV software programs use.
Downloads and Executes Arbitrary Files
Finally, Conficker worm will attempt to access pre-computed domain names to either download own updated copy, or download other malware.
Full list of URL extensions used for pre-computed/generated URLs, as well as detailed info on Conficker worm, you may find here:
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=77976
You know you've already got Conficker worm on your PC, if your computer suddenly accesses one of several popular sites like Ask.com, Baidu, Facebook.com, Google, Imageshack.us, rapidshare.com, W3.org or Yahoo. This is the way how the Conficker worm actually tests Internet connectivity.
As you can see, these are the real horrors of new Conficker worm variant. If it spreads as nearly as its predecessors, it would be fatal for many PCs.
So keep your eyes open, stay safe and don’t get fooled on April Fool’s Day.
