Need help? Ask the community or hire an expert.
Go to Avira Answers
Nume:Worm/Conficker.Z.13
Descoperit pe data de:17/08/2009
Tip:Vierme
ITW:Da
Numar infectii raportate:Scazut spre mediu
Potential de raspandire:Mediu
Potential de distrugere:Scazut spre mediu
Fisier static:Da
Marime:163.902 Bytes
MD5:5142a66aaeb9423066e8d53dc5f78294
Versiune IVDF:7.01.05.119 - luni, 17 august 2009

 General Metode de raspandire:
    Functia autorun
   • Reteaua locala


Alias:
   •  Mcafee: W32/Conficker.worm
   •  Sophos: Mal/Conficker-A
   •  Panda: W32/Conficker.C.worm
   •  Eset: Win32/Conficker.AE


Sistem de operare:
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Creeaza fisiere malware
   • Reduce setarile de securitate
   • Modificari in registri
   • Profita de vulnerabilitatile softului
        CVE-2007-1204
        MS07-019

 Fisiere Se copiaza in urmatoarele locatii:
   • %SYSDIR%\qepdjla.dll
   • %unitate disc%\RECYCLER\%CLSID%\jwgkvsq.vmx



Sterge copia initiala a virusului.



Este creat fisierul:

%unitate disc%\autorun.inf Acesta este un fisier text care nu prezinta pericol si are urmatorul continut:
   • %cod care ruleaza fisierul malitios%




Incearca se execute urmatorul fisier:

Numele fisierului:
   • explorer C:

 Registrii sistemului Urmatoarele chei sunt adaugate in registri pentru a incarca serviciul la repornirea sistemului:

[HKLM\SYSTEM\CurrentControlSet\Services\
   %combinatie de caractere aleatoare%]
   • "Description"="Provides support for synchronizing objects between the host and guest operating systems."
   • "DisplayName"="Universal Time"
   • "ErrorControl"=dword:0x00000000
   • "ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
   • "ObjectName"="LocalSystem"
   • "Start"=dword:0x00000002
   • "Type"=dword:0x00000020



Creeaza urmatoarea valoare, pentru a trece de Windows XP firewall:

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
   • "8182:TCP"="8182:TCP:*:Enabled:opijcn"



Se adauga in registrii sistemului:

[HKLM\SYSTEM\CurrentControlSet\Services\
   %combinatie de caractere aleatoare%\Parameters]
   • "ServiceDll"="%SYSDIR%\qepdjla.dll"



Urmatoarele chei din registri sunt modificate:

[HKCU\Software\Microsoft\Internet Explorer\Toolbar]
   Noua valoare:
   • "Locked"=dword:0x00000001

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Noua valoare:
   • "DontPrettyPath"=dword:0x00000000
   • "Filter"=dword:0x00000000
   • "Hidden"=dword:0x00000002
   • "HideFileExt"=dword:0x00000000
   • "HideIcons"=dword:0x00000000
   • "MapNetDrvBtn"=dword:0x00000001
   • "SeparateProcess"=dword:0x00000001
   • "ShowCompColor"=dword:0x00000001
   • "ShowInfoTip"=dword:0x00000000
   • "SuperHidden"=dword:0x00000000
   • "WebView"=dword:0x00000000

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL]
   Noua valoare:
   • "CheckedValue"=dword:0x00000000

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
   Noua valoare:
   • "netsvcs"="6to4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer]
   Noua valoare:
   • "ShellState"=hex:24,00,00,00,32,04,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,0D,00,00,00,00,00,00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\
   Winlogon]
   Noua valoare:
   • "ParseAutoexec"="1"

 Reţea Pentru a-si asigura raspandirea, programul malware incearca sa contacteze alte sisteme, asa cum este descris in continuare:


Foloseste urmatoarele date de logare, pentru a controla sistemul la distanta:

Lista de parole:
   • 99999999; 9999999; 999999; 99999; 9999; 999; 99; 88888888; 8888888;
      888888; 88888; 8888; 888; 88; 77777777; 7777777; 777777; 77777; 7777;
      777; 77; 66666666; 6666666; 666666; 66666; 6666; 666; 66; 55555555;
      5555555; 555555; 55555; 5555; 555; 55; 44444444; 4444444; 444444;
      44444; 4444; 444; 44; 33333333; 3333333; 333333; 33333; 3333; 333; 33;
      22222222; 2222222; 222222; 22222; 2222; 222; 22; 11111111; 1111111;
      111111; 11111; 1111; 111; 11; 00000000; 0000000; 00000; 0000; 000; 00;
      0987654321; 987654321; 87654321; 7654321; 654321; 54321; 4321; 321;
      21; 12; fuck; zzzzz; zzzz; zzz; xxxxx; xxxx; xxx; qqqqq; qqqq; qqq;
      aaaaa; aaaa; aaa; sql; file; web; foo; job; home; work; intranet;
      controller; killer; games; private; market; coffee; cookie; forever;
      freedom; student; account; academia; files; windows; monitor; unknown;
      anything; letitbe; letmein; domain; access; money; campus; explorer;
      exchange; customer; cluster; nobody; codeword; codename; changeme;
      desktop; security; secure; public; system; shadow; office; supervisor;
      superuser; share; super; secret; server; computer; owner; backup;
      database; lotus; oracle; business; manager; temporary; ihavenopass;
      nothing; nopassword; nopass; Internet; internet; example; sample;
      love123; boss123; work123; home123; mypc123; temp123; test123; qwe123;
      abc123; pw123; root123; pass123; pass12; pass1; admin123; admin12;
      admin1; password123; password12; password1; default; foobar; foofoo;
      temptemp; temp; testtest; test; rootroot; root; adminadmin;
      mypassword; mypass; pass; Login; login; Password; password; passwd;
      zxcvbn; zxcvb; zxccxz; zxcxz; qazwsxedc; qazwsx; q1w2e3; qweasdzxc;
      asdfgh; asdzxc; asddsa; asdsa; qweasd; qwerty; qweewq; qwewq; nimda;
      administrator; Admin; admin; a1b2c3; 1q2w3e; 1234qwer; 1234abcd;
      123asd; 123qwe; 123abc; 123321; 12321; 123123; 1234567890; 123456789;
      12345678; 1234567; 123456; 12345; 1234; 123



Exploit:
Foloseste urmatoarele vulnerabilitati:
– MS04-007 (ASN.1 Vulnerability)
 MS06-040 (Vulnerability in Server Service)


Activare de la distanta:
Incearca sa activeze de la distanta malware-ul pe sistemul recent infectat. Pentru aceasta, apeleaza functia NetScheduleJobAdd.

 Injectarea codului malware in alte procese – Injecteaza o rutina backdoor intr-un proces.

    Numele procesului:
   • svchost.exe


 Alte informatii  Cauta o conexiune Internet, contactand urmatorul website:
   • http://checkip.dyndns.org


Mutex:
Creeaza urmatorii mutecsi:
   • vcxhnoiftekm
   • dvkwjdesgb
   • gemexfcjwfwwd

 Detaliile fisierului Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Description inserted by Petre Galan on Thursday, December 9, 2010
Description updated by Petre Galan on Thursday, December 9, 2010

Back . . . .