Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:19/01/2009
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low
Static file:Yes
File size:62.976 Bytes
MD5 checksum:d9cb288f317124a0e63e3405ed290765
VDF version:
IVDF version:

 General Method of propagation:
   • Local network

   •  Mcafee: W32/Conficker.worm
   •  Kaspersky: Net-Worm.Win32.Kido.dam.y
   •  Sophos: W32/Confick-A
   •  Panda: W32/Conficker.A.worm

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops malicious files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\oqylfu.dll

It deletes the initially executed copy of itself.

 Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\
   %random character string%]
   • "DisplayName"=""
   • "ErrorControl"=dword:0x00000000
   • "ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
   • "ObjectName"="LocalSystem"
   • "Start"=dword:0x00000002
   • "Type"=dword:0x00000020

It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   • "8182:TCP"="8182:TCP:*:Enabled:WWW"

The following registry key is added:

– [HKLM\SYSTEM\CurrentControlSet\Services\
   %random character string%\Parameters]
   • "ServiceDll"="%SYSDIR%\oqylfu.dll"

The following registry key is changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
   New value:
   • "netsvcs"="6to4"

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It makes use of the following Exploits:
– MS04-007 (ASN.1 Vulnerability)
– MS06-040 (Vulnerability in Server Service)

 Miscellaneous  Checks for an internet connection by contacting the following web sites:
Accesses internet resources:

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Friday, April 8, 2011
Description updated by Petre Galan on Friday, April 8, 2011

Back . . . .