Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Conficker.AC
Date discovered:19/01/2009
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low
Static file:Yes
File size:62.976 Bytes
MD5 checksum:d9cb288f317124a0e63e3405ed290765
VDF version:7.01.01.129
IVDF version:7.01.01.138 - Monday, January 19, 2009

 General Method of propagation:
   • Local network


Aliases:
   •  Mcafee: W32/Conficker.worm
   •  Kaspersky: Net-Worm.Win32.Kido.dam.y
   •  Sophos: W32/Confick-A
   •  Panda: W32/Conficker.A.worm


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\oqylfu.dll



It deletes the initially executed copy of itself.

 Registry The following registry keys are added in order to load the service after reboot:

[HKLM\SYSTEM\CurrentControlSet\Services\
   %random character string%]
   • "DisplayName"=""
   • "ErrorControl"=dword:0x00000000
   • "ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
   • "ObjectName"="LocalSystem"
   • "Start"=dword:0x00000002
   • "Type"=dword:0x00000020



It creates the following entry in order to bypass the Windows XP firewall:

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
   • "8182:TCP"="8182:TCP:*:Enabled:WWW"



The following registry key is added:

[HKLM\SYSTEM\CurrentControlSet\Services\
   %random character string%\Parameters]
   • "ServiceDll"="%SYSDIR%\oqylfu.dll"



The following registry key is changed:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
   New value:
   • "netsvcs"="6to4"

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


Exploit:
It makes use of the following Exploits:
– MS04-007 (ASN.1 Vulnerability)
 MS06-040 (Vulnerability in Server Service)

 Miscellaneous  Checks for an internet connection by contacting the following web sites:
   • http://www.getmyip.org
   • http://getmyip.co.uk
   • http://checkip.dyndns.org
Accesses internet resources:
   • http://trafficconverter.biz/4vir/antispyware/**********

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Friday, April 8, 2011
Description updated by Petre Galan on Friday, April 8, 2011

Back . . . .