Need help? Ask the community or hire an expert.
Go to Avira Answers
Nume:Worm/Conficker.Z.38
Descoperit pe data de:17/08/2009
Tip:Vierme
ITW:Da
Numar infectii raportate:Scazut spre mediu
Potential de raspandire:Mediu
Potential de distrugere:Scazut spre mediu
Fisier static:Da
Marime:167.071 Bytes
MD5:2c8442c4a9328a5cf26650fa6fe743ef
Versiune IVDF:7.01.05.119 - luni, 17 august 2009

 General Metode de raspandire:
    Functia autorun
   • Reteaua locala


Alias:
   •  Mcafee: W32/Conficker.worm.gen.a
   •  Panda: W32/Conficker.C.worm
   •  Eset: Win32/Conficker.AE


Sistem de operare:
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Creeaza fisiere malware
   • Reduce setarile de securitate
   • Modificari in registri
   • Profita de vulnerabilitatile softului
        CVE-2007-1204
        MS07-019

 Fisiere Se copiaza in urmatoarele locatii:
   • %SYSDIR%\qepdjla.dll
   • %unitate disc%\RECYCLER\%CLSID%\jwgkvsq.vmx



Sterge copia initiala a virusului.



Este creat fisierul:

%unitate disc%\autorun.inf Acesta este un fisier text care nu prezinta pericol si are urmatorul continut:
   • %cod care ruleaza fisierul malitios%




Incearca se execute urmatorul fisier:

Numele fisierului:
   • explorer C:

 Registrii sistemului Urmatoarele chei sunt adaugate in registri pentru a incarca serviciul la repornirea sistemului:

[HKLM\SYSTEM\CurrentControlSet\Services\
   %combinatie de caractere aleatoare%]
   • "Description"="Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start."
   • "DisplayName"="Update Driver"
   • "ErrorControl"=dword:0x00000000
   • "ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
   • "ObjectName"="LocalSystem"
   • "Start"=dword:0x00000002
   • "Type"=dword:0x00000020



Creeaza urmatoarea valoare, pentru a trece de Windows XP firewall:

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
   • "8182:TCP"="8182:TCP:*:Enabled:opijcn"



Se adauga in registrii sistemului:

[HKLM\SYSTEM\CurrentControlSet\Services\
   %combinatie de caractere aleatoare%\Parameters]
   • "ServiceDll"="%SYSDIR%\qepdjla.dll"



Urmatoarele chei din registri sunt modificate:

[HKCU\Software\Microsoft\Internet Explorer\Toolbar]
   Noua valoare:
   • "Locked"=dword:0x00000001

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Noua valoare:
   • "DontPrettyPath"=dword:0x00000000
   • "Filter"=dword:0x00000000
   • "Hidden"=dword:0x00000002
   • "HideFileExt"=dword:0x00000000
   • "HideIcons"=dword:0x00000000
   • "MapNetDrvBtn"=dword:0x00000001
   • "SeparateProcess"=dword:0x00000001
   • "ShowCompColor"=dword:0x00000001
   • "ShowInfoTip"=dword:0x00000000
   • "SuperHidden"=dword:0x00000000
   • "WebView"=dword:0x00000000

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL]
   Noua valoare:
   • "CheckedValue"=dword:0x00000000

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
   Noua valoare:
   • "netsvcs"="6to4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer]
   Noua valoare:
   • "ShellState"=hex:24,00,00,00,32,04,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,0D,00,00,00,00,00,00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\
   Winlogon]
   Noua valoare:
   • "ParseAutoexec"="1"

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]
   Noua valoare:
   • "Epoch"=dword:0x00000030

 Reţea Pentru a-si asigura raspandirea, programul malware incearca sa contacteze alte sisteme, asa cum este descris in continuare:


Foloseste urmatoarele date de logare, pentru a controla sistemul la distanta:

Lista de parole:
   • 99999999; 9999999; 999999; 99999; 9999; 999; 99; 88888888; 8888888;
      888888; 88888; 8888; 888; 88; 77777777; 7777777; 777777; 77777; 7777;
      777; 77; 66666666; 6666666; 666666; 66666; 6666; 666; 66; 55555555;
      5555555; 555555; 55555; 5555; 555; 55; 44444444; 4444444; 444444;
      44444; 4444; 444; 44; 33333333; 3333333; 333333; 33333; 3333; 333; 33;
      22222222; 2222222; 222222; 22222; 2222; 222; 22; 11111111; 1111111;
      111111; 11111; 1111; 111; 11; 00000000; 0000000; 00000; 0000; 000; 00;
      0987654321; 987654321; 87654321; 7654321; 654321; 54321; 4321; 321;
      21; 12; fuck; zzzzz; zzzz; zzz; xxxxx; xxxx; xxx; qqqqq; qqqq; qqq;
      aaaaa; aaaa; aaa; sql; file; web; foo; job; home; work; intranet;
      controller; killer; games; private; market; coffee; cookie; forever;
      freedom; student; account; academia; files; windows; monitor; unknown;
      anything; letitbe; letmein; domain; access; money; campus; explorer;
      exchange; customer; cluster; nobody; codeword; codename; changeme;
      desktop; security; secure; public; system; shadow; office; supervisor;
      superuser; share; super; secret; server; computer; owner; backup;
      database; lotus; oracle; business; manager; temporary; ihavenopass;
      nothing; nopassword; nopass; Internet; internet; example; sample;
      love123; boss123; work123; home123; mypc123; temp123; test123; qwe123;
      abc123; pw123; root123; pass123; pass12; pass1; admin123; admin12;
      admin1; password123; password12; password1; default; foobar; foofoo;
      temptemp; temp; testtest; test; rootroot; root; adminadmin;
      mypassword; mypass; pass; Login; login; Password; password; passwd;
      zxcvbn; zxcvb; zxccxz; zxcxz; qazwsxedc; qazwsx; q1w2e3; qweasdzxc;
      asdfgh; asdzxc; asddsa; asdsa; qweasd; qwerty; qweewq; qwewq; nimda;
      administrator; Admin; admin; a1b2c3; 1q2w3e; 1234qwer; 1234abcd;
      123asd; 123qwe; 123abc; 123321; 12321; 123123; 1234567890; 123456789;
      12345678; 1234567; 123456; 12345; 1234; 123



Exploit:
Foloseste urmatoarele vulnerabilitati:
– MS04-007 (ASN.1 Vulnerability)
 MS06-040 (Vulnerability in Server Service)


Activare de la distanta:
Incearca sa activeze de la distanta malware-ul pe sistemul recent infectat. Pentru aceasta, apeleaza functia NetScheduleJobAdd.

 Injectarea codului malware in alte procese – Injecteaza o rutina backdoor intr-un proces.

    Numele procesului:
   • svchost.exe


 Alte informatii  Cauta o conexiune Internet, contactand urmatorul website:
   • http://checkip.dyndns.org


Mutex:
Creeaza urmatorii mutecsi:
   • vcxhnoiftekm
   • whbutqjjhtfzpy
   • dvkwjdesgb

 Detaliile fisierului Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Description inserted by Petre Galan on Friday, December 10, 2010
Description updated by Petre Galan on Friday, December 10, 2010

Back . . . .