Need help? Ask the community or hire an expert.
Go to Avira Answers
Nume:Worm/Confic.1269760
Descoperit pe data de:12/02/2010
Tip:Vierme
ITW:Da
Numar infectii raportate:Scazut spre mediu
Potential de raspandire:Mediu
Potential de distrugere:Scazut spre mediu
Fisier static:Da
Marime:1.269.760 Bytes
MD5:6ce65eea05ae7fc659a455b5e1589ab0
Versiune IVDF:7.10.04.44 - vineri, 12 februarie 2010

 General Metode de raspandire:
   • Functia autorun
   • Reteaua locala


Alias:
   •  Sophos: Mal/Conficker-A
   •  Panda: W32/Conficker.C.worm
   •  Eset: Win32/Conficker.X


Sistem de operare:
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Creeaza fisiere malware
   • Reduce setarile de securitate
   • Modificari in registri
   • Profita de vulnerabilitatile softului
      •  CVE-2007-1204
      •  MS07-019

 Fisiere Se copiaza in urmatoarele locatii:
   • %SYSDIR%\qepdjla.dll
   • %unitate disc%\RECYCLER\%CLSID%\jwgkvsq.vmx



Sterge copia initiala a virusului.



Este creat fisierul:

%unitate disc%\autorun.inf Acesta este un fisier text care nu prezinta pericol si are urmatorul continut:
   • %cod care ruleaza fisierul malitios%




Incearca se execute urmatorul fisier:

– Numele fisierului:
   • explorer C:

 Registrii sistemului Urmatoarele chei sunt adaugate in registri pentru a incarca serviciul la repornirea sistemului:

– [HKLM\SYSTEM\CurrentControlSet\Services\
   %combinatie de caractere aleatoare%]
   • "Description"="Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability."
   • "DisplayName"="Driver Shell"
   • "ErrorControl"=dword:0x00000000
   • "ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
   • "ObjectName"="LocalSystem"
   • "Start"=dword:0x00000002
   • "Type"=dword:0x00000020



Valoarea urmatoarei chei este stearsa din registri:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • Windows Defender



Creeaza urmatoarea valoare, pentru a trece de Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
   • "8182:TCP"="8182:TCP:*:Enabled:opijcn"



Se adauga in registrii sistemului:

– [HKLM\SYSTEM\CurrentControlSet\Services\
   %combinatie de caractere aleatoare%\Parameters]
   • "ServiceDll"="%SYSDIR%\qepdjla.dll"



Urmatoarele chei din registri sunt modificate:

– [HKCU\Software\Microsoft\Internet Explorer\Toolbar]
   Noua valoare:
   • "Locked"=dword:0x00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Noua valoare:
   • "DontPrettyPath"=dword:0x00000000
   • "Filter"=dword:0x00000000
   • "Hidden"=dword:0x00000002
   • "HideFileExt"=dword:0x00000000
   • "HideIcons"=dword:0x00000000
   • "MapNetDrvBtn"=dword:0x00000001
   • "SeparateProcess"=dword:0x00000001
   • "ShowCompColor"=dword:0x00000001
   • "ShowInfoTip"=dword:0x00000000
   • "SuperHidden"=dword:0x00000000
   • "WebView"=dword:0x00000000

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL]
   Noua valoare:
   • "CheckedValue"=dword:0x00000000

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
   Noua valoare:
   • "netsvcs"="6to4"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer]
   Noua valoare:
   • "ShellState"=hex:24,00,00,00,32,04,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,0D,00,00,00,00,00,00,00,01,00,00,00

– [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\
   Winlogon]
   Noua valoare:
   • "ParseAutoexec"="1"

 Reţea Pentru a-si asigura raspandirea, programul malware incearca sa contacteze alte sisteme, asa cum este descris in continuare:
– Lista de parole:
   • 99999999; 9999999; 999999; 99999; 9999; 999; 99; 88888888; 8888888;
      888888; 88888; 8888; 888; 88; 77777777; 7777777; 777777; 77777; 7777;
      777; 77; 66666666; 6666666; 666666; 66666; 6666; 666; 66; 55555555;
      5555555; 555555; 55555; 5555; 555; 55; 44444444; 4444444; 444444;
      44444; 4444; 444; 44; 33333333; 3333333; 333333; 33333; 3333; 333; 33;
      22222222; 2222222; 222222; 22222; 2222; 222; 22; 11111111; 1111111;
      111111; 11111; 1111; 111; 11; 00000000; 0000000; 00000; 0000; 000; 00;
      0987654321; 987654321; 87654321; 7654321; 654321; 54321; 4321; 321;
      21; 12; fuck; zzzzz; zzzz; zzz; xxxxx; xxxx; xxx; qqqqq; qqqq; qqq;
      aaaaa; aaaa; aaa; sql; file; web; foo; job; home; work; intranet;
      controller; killer; games; private; market; coffee; cookie; forever;
      freedom; student; account; academia; files; windows; monitor; unknown;
      anything; letitbe; letmein; domain; access; money; campus; explorer;
      exchange; customer; cluster; nobody; codeword; codename; changeme;
      desktop; security; secure; public; system; shadow; office; supervisor;
      superuser; share; super; secret; server; computer; owner; backup;
      database; lotus; oracle; business; manager; temporary; ihavenopass;
      nothing; nopassword; nopass; Internet; internet; example; sample;
      love123; boss123; work123; home123; mypc123; temp123; test123; qwe123;
      abc123; pw123; root123; pass123; pass12; pass1; admin123; admin12;
      admin1; password123; password12; password1; default; foobar; foofoo;
      temptemp; temp; testtest; test; rootroot; root; adminadmin;
      mypassword; mypass; pass; Login; login; Password; password; passwd;
      zxcvbn; zxcvb; zxccxz; zxcxz; qazwsxedc; qazwsx; q1w2e3; qweasdzxc;
      asdfgh; asdzxc; asddsa; asdsa; qweasd; qwerty; qweewq; qwewq; nimda;
      administrator; Admin; admin; a1b2c3; 1q2w3e; 1234qwer; 1234abcd;
      123asd; 123qwe; 123abc; 123321; 12321; 123123; 1234567890; 123456789;
      12345678; 1234567; 123456; 12345; 1234; 123



Exploit:
Foloseste urmatoarele vulnerabilitati:
– MS04-007 (ASN.1 Vulnerability)
– MS06-040 (Vulnerability in Server Service)


Activare de la distanta:
–Incearca sa activeze de la distanta malware-ul pe sistemul recent infectat. Pentru aceasta, apeleaza functia NetScheduleJobAdd.

 Injectarea codului malware in alte procese – Injecteaza o rutina backdoor intr-un proces.

    Numele procesului:
   • svchost.exe


 Alte informatii  Cauta o conexiune Internet, contactand urmatorul website:
   • http://checkip.dyndns.org


Mutex:
Creeaza urmatorii mutecsi:
   • vcxhnoiftekm
   • dvkwjdesgb
   • gjhwvfiuyabd

 Detaliile fisierului Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Description inserted by Petre Galan on Wednesday, December 8, 2010
Description updated by Andrei Ivanes on Thursday, December 9, 2010

Back . . . .