Also Known As:
Win32/Conficker.C (CA)
Trojan.Win32.Pakes.ngs (Kaspersky)
W32/Conficker.worm.gen.c (McAfee)
W32/Conficker.D.worm (Panda)
W32/Confick-G (Sophos)
W32.Downadup.C (Symantec)
Win32/Conficker.D is a variant of Win32/Conficker. Conficker.D infects the local computer, terminates services, blocks access to numerous security related Websites and downloads arbitrary code. Conficker.D can relay command instructions to other Conficker.D infected computers via built-in peer-to-peer (P2P) communication. This variant does not spread to removable drives or shared folders across a network (as with previous variants). Conficker.D is installed by previous variants of Win32/Conficker.
Other variants of Win32/Conficker infect computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords.
Win32/Conficker.D Payload Details
Terminates Security Services such as Windows Security Center Service (wscsvc), Windows Update Auto Update Service (wuauserv), Background Intelligence Transfer Service (BITS) and Windows Defender (WinDefend).
Deletes Registry Values - Win32/Conficker.D deletes registry values for Windows Defender, Windows Security Center (WSC) and the Windows safe mode services list.
Terminates Processes - Win32/Conficker.D polls the process list every one second for these strings and, if found, terminates them:
autoruns - "Autoruns" program
avenger - kernel-mode security program
confick - taken from the name 'Conficker'
downad - taken from the name 'Downadup' alias 'Conficker'
filemon - "File Monitor" program
gmer - rootkit detection program
hotfix - security update
kb890 - Microsoft KB article, includes MSRT
kb958 - Microsoft KB article, includes MS08-067
kido - taken from the name 'Kido', another 'Conficker' alias
klwk - Kaspersky program
mbsa. - "Microsoft Baseline Security Analyzer" program
mrt. - "Microsoft Malicious Software Removal Tool" program
mrtstub - "Microsoft Malicious Software Removal Tool" program
ms08-06 - Microsoft Security Update MS08-067
procexp - "Process Explorer" program
procmon - "Process Monitor" program
regmon - "Registry Monitor" program
scct_ - Sophos Conficker Cleanup tool
sysclean - Trend Micro tool
tcpview - tool used to view TCP connection and traffic
unlocker - tool used to unlock locked files or folders
wireshark - network protocol analyzer tool
Blocks access or causes browser time-outs to security related websites (hooks DNSAPI.DLL to prevent access to websites).
Downloads Arbitrary Files - obtains the current date/time from the following Web servers:
baidu.com
google.com
yahoo.com
ask.com
w3.org
facebook.com
imageshack.us
rapidshare.com
Once a day, Win32/Conficker.D may build one of 50,000 URLs to download files starting on April 1, 2009. The worm uses one of the following top level domains from over 100 different countries, and only visits 500 of the generated URLs within a 24-hour period:
.ac; .ae; .ag; .am; .as; .at; .be; .bo; .bz; .ca; .cd; .ch; .cl; .cn; .co.cr; .co.id; .co.il; .co.ke; .co.kr; .co.nz; .co.ug; .co.uk; .co.vi; .co.za; .com.ag; .com.ai; .com.ar; .com.bo; .com.br; .com.bs; .com.co; .com.do; .com.fj; .com.gh; .com.gl; .com.gt; .com.hn; .com.jm; .com.ki; .com.lc; .com.mt; .com.mx; .com.ng; .com.ni; .com.pa; .com.pe; .com.pr; .com.pt; .com.py; .com.sv; .com.tr; .com.tt; .com.tw; .com.ua; .com.uy; .com.ve; .cx; .cz; .dj; .dk; .dm; .ec; .es; .fm; .fr; .gd; .gr; .gs; .gy; .hk; .hn; .ht; .hu; .ie; .im; .in; .ir; .is; .kn; .kz; .la; .lc; .li; .lu; .lv; .ly; .md; .me; .mn; .ms; .mu; .mw; .my; .nf; .nl; .no; .pe; .pk; .pl; .ps; .ro; .ru; .sc; .sg; .sh; .sk; .su; .tc; .tj; .tl; .tn; .to; .tw; .us; .vc; .vn
The generated domain name is first converted to the dot notation, for example, 'aaovt.com' may be converted to '192.168.16.0'. This generated IP address is then used for the URL, according to the following pattern:
http://<pseudo-random generated IP>/search?q=%d
After a successful download/execution from a generated URL, Win32/Conficker.D lays dormant for four days before resuming URL monitoring again.
Connects to Other Infected Computers via P2P Network:
Win32/Conficker.D can distribute and receive commands from other computers infected with Conficker.D via a built-in peer-to-peer (P2P) network. This mechanism could be used to distribute additional malware to and from infected machines.
To connect to other infected computers, Win32/Conficker.D opens four ports on each available network interface. It opens two TCP and two UDP ports. The port numbers of the first TCP and UDP ports are calculated based on the IP address of the network interface. The second TCP and UDP ports are calculated based on the IP address of the network interface as well as the current week, leading to this second set of ports to change on a weekly basis. In short, while the first set of ports is constant and remain open week after week, the second set changes weekly.
When computing for the current week, Win32/Conficker.D attempts to determine the time in GMT so that all port changes occur at the same time.
Both TCP listening ports behave in an identical fashion, as do both UDP listening ports. These ports are used by an infected computer to communicate with other computers also infected with Win32/Conficker.D.
Take the following steps to help prevent infection on your system:
Apply the latest computer updates for all your installed software, including Security Bulletin MS08-067.
Use up-to-date antivirus software and perform full system scans to detect infections.
Ensure that network passwords are strong to prevent Win32/Conficker variants from spreading via weak administrator passwords.
References:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx