WELLCOM TO MY WEBLOG

www.easynet.persianblog.ir

 

 
Worm:Win32/Conficker.B

How to prevent a computer worm

A computer worm is designed to spread from computer to computer without your interaction. You might have heard of worms like Conficker, Sasser, and Blaster.

To help prevent getting infected by computer worms, follow these five steps:

 

Keep your firewall turned on.

 

Keep your operating system up-to-date with security updates.

 

Use updated antivirus software from a trusted source.

 

Use strong passwords, especially on your network.

 

Consider disabling the AutoPlay feature in Windows. (For details on Conficker and AutoPlay, see Protect yourself from the Conficker computer worm.)

Also, use caution before you open e-mail attachments, click links in e-mail, or before you accept file transfers.

Never open e-mail attachments from someone you don't know and avoid opening e-mail attachments from someone you do know, unless you are aware of exactly what the attachments are. The sender might not know that the attachment contains a worm.

To stay up to date on home computer security issues sign up for our newsletter

 

Also Known As

 Technical Information

 

Worm:Win32/Conficker.B is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.
Installation
Worm:Win32/Conficker.B attempts to copy itself in the Windows system folder as a hidden DLL file using a random name. If the attempt fails, it may then attempt to copy itself with the same parameters in the following folders:
 
%ProgramFiles%\Internet Explorer
%ProgramFiles%\Movie Maker
 
It creates the following registry entry to ensure that its dropped copy is run every time Windows starts:
 
Adds value: "<random string>"
With data: "rundll32.exe <system folder>\<malware file name>.dll,<malware parameters>"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 
It may also load itself as a service that is launched when the netsvcs group is loaded by the system file svchost.exe.
 
It may also load itself as a fake service by registering itself under the following key:
HKLM\SYSTEM\CurrentControlSet\Services
 
It may use a display name that is created by combining two of the following strings:
 
Boot
Center
Config
Driver
Helper
Image
Installer
Manager
Microsoft
Monitor
Network
Security
Server
Shell
Support
System
Task
Time
Universal
Update
Windows
It may also combine random characters to create the display name.
Spreads Via...
Network Shares with Weak Passwords
Worm:Win32/Conficker.B attempts to infect machines within the network.
 
It first attempts to drop a copy of itself in a target machine's ADMIN$ share using the credentials of the currently logged-on user.
 
If this method is unsuccessful, for example, the current user does not have the necessary rights, then it instead obtains a list of user accounts on the target machine. It then attempts to connect to the target machine using each user name and the following weak passwords:
 
123
1234
12345
123456
1234567
12345678
123456789
1234567890
123123
12321
123321
123abc
123qwe
123asd
1234abcd
1234qwer
1q2w3e
a1b2c3
admin
Admin
administrator
nimda
qwewq
qweewq
qwerty
qweasd
asdsa
asddsa
asdzxc
asdfgh
qweasdzxc
q1w2e3
qazwsx
qazwsxedc
zxcxz
zxccxz
zxcvb
zxcvbn
passwd
password
Password
login
Login
pass
mypass
mypassword
adminadmin
root
rootroot
test
testtest
temp
temptemp
foofoo
foobar
default
password1
password12
password123
admin1
admin12
admin123
pass1
pass12
pass123
root123
pw123
abc123
qwe123
test123
temp123
mypc123
home123
work123
boss123
love123
sample
example
internet
Internet
nopass
nopassword
nothing
ihavenopass
temporary
manager
business
oracle
lotus
database
backup
owner
computer
server
secret
super
share
superuser
supervisor
office
shadow
system
public
secure
security
desktop
changeme
codename
codeword
nobody
cluster
customer
exchange
explorer
campus
money
access
domain
letmein
letitbe
anything
unknown
monitor
windows
files
academia
account
student
freedom
forever
cookie
coffee
market
private
games
killer
controller
intranet
work
home
job
foo
web
file
sql
aaa
aaaa
aaaaa
qqq
qqqq
qqqqq
xxx
xxxx
xxxxx
zzz
zzzz
zzzzz
fuck
12
21
321
4321
54321
654321
7654321
87654321
987654321
0987654321
0
00
000
0000
00000
00000
0000000
00000000
1
11
111
1111
11111
111111
1111111
11111111
2
22
222
2222
22222
222222
2222222
22222222
3
33
333
3333
33333
333333
3333333
33333333
4
44
444
4444
44444
444444
4444444
44444444
5
55
555
5555
55555
555555
5555555
55555555
6
66
666
6666
66666
666666
6666666
66666666
7
77
777
7777
77777
777777
7777777
77777777
8
88
888
8888
88888
888888
8888888
88888888
9
99
999
9999
99999
999999
9999999
99999999
 
If Win32/Conficker.B successfully accesses the target machine, for example, if a combination of any of the obtained user names and one of the above passwords allows write privileges to the machine, then it copies itself to an accessible admin share as ADMIN$\System32\<random letters>.dll.
 
Creates Remote Scheduled Job
After compromising a machine remotely, Win32/Conficker.B creates a remote schedule job with the command “rundll32.exe <malware file name>.dll,<malware parameters>" to activate the copy, as shown in the images below:
 

 
 

 
 
Mapped and Removable Drives
Worm:Win32/Conficker.B may drop a copy of itself in all mapped and removable drives using a random file name. The worm creates a folder in the root of these drives named 'RECYCLER' (in Windows XP and previous versions, the folder "RECYCLER" references the "Recycle Bin"). Next, the worm copies itself as the following:
 
<drive:>\RECYCLER\S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d\<random letters>.dll
 
Where %d is a randomly chosen letter. The worm also drops a corresponding autorun.inf file, which enables the worm copy to execute if the drive is accessed and Autoplay is enabled. This autorun.inf file is detected as Worm:Win32/Conficker.B!inf.
The image below illustrates how a user could potentially launch the worm when accessing an infected share:
 
 
Note that the language in the first option suggests the user could 'open folder to view files' however the option is under 'Install or run program', an indication that opening the folder will actually execute an application. Another hint that the action is to execute the worm is the text 'Publisher not specified'. The highlighted choice under 'General options' in the image above would allow a user to view the share and not execute the worm copy.
 
MS08-067 HTTP 'call back'
Worm:Win32/Conficker.B spreads to systems that are not yet patched against a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, the worm instructs the target computer to download a copy of the worm from the host computer via HTTP protocol using the random port between 1024 and 10000 opened by the worm. The vulnerability is documented in Microsoft Security Bulletin MS08-067.
Payload
Modifies System Settings
Worm:Win32/Conficker.B changes system settings so that the user cannot view hidden files. It does this by modifying the following registry entry:
 
Adds value: "CheckedValue"
With data: "0"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
 
It also modifies the system's TCP settings to allow a large number of simultaneous connections, where 0x00FFFFFE is hexadecimal and equals 16,777,214 decimal value:
 
Adds value: "TcpNumConnections"
With data: "0x00FFFFFE"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
 
The worm drops a temp file to aid restarting the TCP/IP service for the modification to take effect. The dropped file is detected as Trojan:WinNT/Conficker.B.
 
Disables TCP/IP Tuning, Terminates and Disables Services
Win32/Conficker.B disables Windows Vista TCP/IP auto-tuning by executing the following command:
 
netsh interface tcp set global autotuning=disabled
This worm terminates several important system services, such as the following:
 
  • Windows Security Center Service (wscsvc) – notifies users of security settings (e.g. Windows update, Firewall and AntiVirus)
  • Windows Update Auto Update Service (wuauserv)
  • Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
  • Windows Defender (WinDefend)
  • Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
  • Windows Error Reporting Service (wersvc)
 
Win32/Conficker.B deletes the registry key for Windows Defender, disabling it from running when the system starts.
 
Deletes value: "Windows Defender"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
 
It also disables any process that has a module name containing any of the following strings from sending network traffic or data (note that most of these strings are related to antivirus and security software, thus effectively disabling the products from acquiring signature updates, and possibly preventing users from accessing websites with these strings in the URL):
 
virus
spyware
malware
rootkit
defender
microsoft
symantec
norton
mcafee
trendmicro
sophos
panda
etrust
networkassociates
computerassociates
f-secure
kaspersky
jotti
f-prot
nod32
eset
grisoft
drweb
centralcommand
ahnlab
esafe
avast
avira
quickheal
comodo
clamav
ewido
fortinet
gdata
hacksoft
hauri
ikarus
k7computing
norman
pctools
prevx
rising
securecomputing
sunbelt
emsisoft
arcabit
cpsecure
spamhaus
castlecops
threatexpert
wilderssecurity
windowsupdate
 
Resets System Restore Point
Win32/Conficker.B may reset the computer's system restore point, potentially defeating recovery using System Restore.
 
Checks for Internet Connectivity
Win32/Conficker.B checks if the system has an Internet connection by attempting to connect to the following websites:
 
aol.com
cnn.com
ebay.com
msn.com
myspace.com
 
Downloads Arbitrary Files
Depending on the system date, Win32/Conficker.B may build a URL to download files starting on January 1, 2009. The generated URL has a domain name that is based on the current system date. It uses one of the following top level domains:
.cc
.cn
.ws
.com
.net
.org
.info
.biz

For example, 'aaovt.com' or 'aasmlhzbpqe.com'.
 
The generated domain name is first converted to the dot notation, for example, 'aaovt.com' may be converted to '192.168.16.0'. This generated IP address is then used for the URL, according to the following pattern:
 
http://<pseudo-random generated IP>/search?q=%d
 
 
Some examples of the constructed URLs are as follows:
 
aaovt.com
aasmlhzbpqe.com
addgv.com
ajsxarj.org
apwzjq.ws
aradfkyqv.org
arztiwbeh.cc
baixumxhmks.ws
bfwtjrto.org
bfwvzxd.info
bmaeqlhulq.cc
byiiureq.cn
cbizghsq.cc
cbkenfa.org
ciabjhmosz.cc
cruutiitz.com
ctnlczp.org
ctohyudfbm.cn
dcopyoojw.com
djdgnrbacwt.ws
dmwemynbrmz.org
dofmrfqvis.cn
doxkknuq.org
dozjritemv.info
dyjsialozl.ws
eaieijqcqlv.org
eewxsvtkyn.net
eidqdorgmbr.net
eiqzepxacyb.cn
ejdmzbzzaos.biz
ejmxd.com
ejzrcqqw.net
ekusgwp.cc
eprhdsudnnh.biz
evmwgi.ws
falru.net
fctkztzhyr.org
fdkjan.net
fhfntt.org
fhspuip.biz
fjpzgrf.net
fkzdr.cn
ftjggny.com
fuimrawg.info
ghdokt.cn
glbmkbmdax.biz
gmhkdp.org
gocpopuklm.org
grwemw.biz
gtzaick.cc
gxzlgsoa.info
gypqfjho.info
hduyjkrouop.info
hfgxlzjbfka.biz
hkgzoi.com
hliteqmjyb.net
hmdtv.ws
hoyolhmnzbs.net
hprfux.cc
hqbttlqr.org
hueminaii.org
hvogkfiq.info
ifylodtv.ws
iivsjpfumd.ws
ilksbuv.cn
imuez.biz
izxvu.biz
jaumgubte.biz
jhbeiiizlfk.cn
jrdzx.cc
jshkqnnkeao.biz
judhei.com
jxfiysai.cc
jzoowlbehqn.info
karhhse.com
kbyjkjkbb.info
kjsxokxg.org
krudjhvk.org
kuiwtbfa.org
lauowjef.cn
lhirjymcod.net
liugwg.net
lksvlouw.ws
llgkuclk.info
lnpsesbcm.cn
lssvxqkqfmf.org
lygskbx.cc
mafwkeat.cn
mgqrrsxhnj.com
mhklpsbuh.cc
mknuzwq.cc
mqjkzbov.net
myfhc.com
navjrj.org
nbpykcdsoms.com
ncbeaucjxd.org
npfxmztnaw.cn
nuiptipwjj.cc
nvpmfnlsh.ws
oagwongs.ws
odvsz.net
okkpuzqck.ws
oqolfrjq.cn
orduhippw.cn
orpngykld.com
orxfq.ws
othobnrx.org
otnqqaclsgx.info
otukeesevg.biz
pbfhhhvzkp.cc
pbpigz.cn
pcnpxbg.cc
pdfrbmxh.biz
pfdthjxs.cc
phaems.cc
phetxwmjqsj.cc
pmanbkyshj.ws
pnjlx.cc
ppzwqcdc.cc
psabcdq.cc
ptdlwsi.cn
pvowgkgjmu.biz
pwsjbdkdewv.info
qbuic.com
qdteltj.org
qeotxrp.com
qfeqsagbjs.biz
qfhqgciz.org
qfogch.com
qijztpxaxk.cn
qlqrgqordj.ws
qpiivu.cn
qpuowsw.cc
qqbbg.cc
qrrzna.net
qvrgznvvwz.ws
qwdervbq.org
qwnydyb.cc
qzbpqbhzmp.com
rkfdx.org
rpphv.org
rskvraofl.info
ryruatsot.biz
sdkhznqj.info
sezpo.org
sfozmwybm.com
skwmyjq.org
solmpem.com
sqmsrvnjits.cc
stlgegbye.net
syryb.org
tdwrkv.ws
tfpazwas.cc
tigeseo.org
tjyhrcfxuc.cn
tkbyxr.ws
tlmncy.cn
tmlwmvv.ws
tnerivsvs.net
tomxoa.org
trpkeyqapp.net
tyjtkayz.com
uazlwwiv.org
ucgqvyjgpk.cn
uixvflbyoyi.biz
ujawdcoqgs.org
upxva.net
uuvjh.biz
uzugvbnvs.cn
vgmkhtux.ws
vjllpcucnp.cn
vkgxgxto.com
vwiualt.com
waxggypgu.org
wccckyfrtf.net
wfdnvlrcb.org
whjworuc.com
wmiwxt.biz
wohms.biz
wqqfbutswyf.info
wsdlzmpbwhj.net
xiclytmeger.cc
xkjdzqbxg.cn
xldbmaztfu.biz
xlwcv.cn
xqbovbdzjz.info
xwbubjmhinr.info
yfpdcquil.info
yfybk.ws
yhrpqjhp.biz
yoblqeruib.org
yoyze.cc
yshpve.cc
ysrixiwyd.com
ytfvksowgul.org
ywsrtetv.org
yzymygez.biz
zcwjkxynr.com
zfgufbxi.net
zkimm.info
zmoeuxuh.ws
zokxy.net
zqrsbqzhh.cc
zttykt.info
zutykstmrxq.ws
 
It checks the system date if it is January 1, 2009 or later. It also checks the following websites for the date, presumably for verification:
 
baidu.com
google.com
yahoo.com
msn.com
ask.com
w3.org

Recovery Steps

Microsoft strongly recommends that users apply the update referred to in Security Bulletin MS08-067immediately.
 
To detect and remove this threat run a full-system scan with an up-to-date antivirus product such as the Microsoft online scanner (http://safety.live.com). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.
 
Note: Computers infected by Conficker may be unable to connect to web sites related to security applications and services that may otherwise assist in the removal of this worm (for example, downloading antivirus updates may fail). In this case users will need to use an uninfected computer in order to download any appropriate updates or tools and then transfer these to the infected computer.
 
Microsoft Help and Support have provided a detailed guide to removing a Conficker.B infection from an affected computer, either manually or by using the MSRT (Malcious Software Removal Tool).
 
For detailed instructions on how to manually remove Conficker.B, view the following article using an uninfected computer:
http://support.microsoft.com/kb/962007 - Virus alert for Win32/Conficker.B and manual removal instructions
 
Additional information on deploying MSRT in an enterprise environment can be found here:
http://support.microsoft.com/kb/891716 - Deployment of MSRT in an enterprise environment

 

Steps

Take the following steps to help prevent infection on your system:
  • Enable a firewall on your computer.
  • Get the latest computer updates for all your installed software, including Security Bulletin MS08-067.
  • Use up-to-date antivirus software.
  • Use caution when opening attachments and accepting file transfers.
  • Use caution when clicking on links to web pages.
  • Protect yourself against social engineering attacks.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall.
To turn on the Windows Firewall in Windows Vista
  1. Click Start, and click Control Panel.
  2. Click Security.
  3. Click Turn Windows Firewall on or off.
  4. Select On.
  5. Click OK.
To turn on the Internet Connection Firewall in Windows XP
  1. Click Start, and click Control Panel.
  2. Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
  3. Click Change Windows Firewall Settings.
  4. Select On.
  5. Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor websites.
 
You can use the Automatic Updates feature in Windows to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows Vista
  1. Click Start, and click Control Panel
  2. Click System and Maintainance.
  3. Click Windows Updates.
  4. Select a setting. Microsoft recommends selecting Install updates automatically and choose a time that is convenient for you. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
To turn on Automatic Updates in Windows XP
  1. Click Start, and click Control Panel
  2. Click System.
  3. Click Automatic Updates.
  4. Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Use Strong Administrator Passwords
Microsoft also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords. More information is available here.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.
Use caution when opening attachments and accepting file transfers
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources.  Use extreme caution when accepting file transfers from known or unknown sources.
Use caution when clicking on links to web pages
Exercise caution with links to web pages that you receive from unknown sources, especially if the links are to a web page that you are not familiar with or are suspicious of. Malicious software may be installed in your system simply by visiting a web page with harmful content.
Avoid downloading pirated software
Threats may also be bundled with software and files that are available for download on various torrent sites. Downloading "cracked" or "pirated" software from these sites carries not only the risk of being infected with malware, but is also illegal. For more information. please see our article 'The risks of obtaining and using pirated software'.
Protect yourself from social engineering attacks
While attackers may attempt to exploit vulnerabilities in hardware or software in order to compromise a system, they also attempt to exploit vulnerabilities in human behavior in order to do the same. When an attacker attempts to take advantage of human behavior in order to persuade the affected user to perform an action of the attacker's choice, it is known as 'social engineering'. Essentially, social engineering is an attack against the human interface of the targeted system. For more information, please see our article 'What is social engineering?'

TA08-297A (other)
CVE-2008-4250 (other)
VU827267 (other)
Win32/Conficker.A (CA)
Mal/Conficker-A (Sophos)
Trojan.Win32.Agent.bccs (Kaspersky)
W32.Downadup.B (Symantec)
Confickr (other)

Summary

Worm:Win32/Conficker.B is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.
 
Microsoft strongly recommends that users apply the update referred to in Security Bulletin MS08-067 immediately.
 
Microsoft also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords. More information is available here.

Symptoms

System Changes
The following system changes may indicate the presence of this malware:
  • The following services are disabled or fail to run:
    Windows Update Service
    Background Intelligent Transfer Service
    Windows Defender
    Windows Error Reporting Services
  • Some accounts may be locked out due to the following registry modification, which may flood the network with connections:
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    "TcpNumConnections" = "0x00FFFFFE"
  • Users may not be able to connect to websites or online services that contain the following strings:
    virus
    spyware
    malware
    rootkit
    defender
    microsoft
    symantec
    norton
    mcafee
    trendmicro
    sophos
    panda
    etrust
    networkassociates
    computerassociates
    f-secure
    kaspersky
    jotti
    f-prot
    nod32
    eset
    grisoft
    drweb
    centralcommand
    ahnlab
    esafe
    avast
    avira
    quickheal
    comodo
    clamav
    ewido
    fortinet
    gdata
    hacksoft
    hauri
    ikarus
    k7computing
    norman
    pctools
    prevx
    rising
    securecomputing
    sunbelt
    emsisoft
    arcabit
    cpsecure
    spamhaus
    castlecops
    threatexpert
    wilderssecurity
    windowsupdate
نظر شما


 

منوي وبلاگ

HOME

music



 
لينك وبلاگ  

 




power by irancrack