Computer Tips & Tricks Everyone Should Know

By

Conficker Worm Detailed Information & Free Removal Tools


Conficker Worm Detailed Information & Free Removal Tools
Worm:Win32/Conficker.A is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled.
How Conficker Virus Installs in Windows?This worm searches for the Windows executable ‘services.exe’ and will inject itself into it.

This worm copies itself to the Windows system folder as <random>.dll where <random> is a 5-8 character lowercase alphabetic name such as ‘nxyme.dll’.

The worm adjusts the file time of the dropped DLL worm copy to the same as the system’s kernel32.dll file time to mask forensic evidence of infection time. The registry is modified to execute the dropped DLL worm copy as a service.

Adds value: “DisplayName”
With data: “0”
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\vcdrlxeu
Adds value: “ServiceDll”
With data: “<system folder>\nxyme.dll”

To subkey: HKLM\SYSTEM\ControlSet001\Services\vcdrlxeu\Parameters

Once a machine has been infected the worm will patch the exploited function via a simple code hook in order to prevent re-infecting a machine it has already compromised. The worm opens and listens for connection attempts on a randomly chosen port between 1024 and 10000 and bypasses Windows firewall using APIs. The worm also stops the Internet connection sharing service.

It Spreads Via…Networked Computers

Win32/Conficker.A copies itself into memory and begins propagating to random IP addresses across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, the worm instructs the target computer to download a copy of the worm from the host computer via HTTP protocol using the random port opened by the worm.
The worm uses the following URLs to determine the computer’s geographic location:
getmyip.org
getmyip.co.uk
checkip.dyndns.org

Win32/Conficker.A avoids infecting Ukrainian located computers.

Payloads

1.Creates HTTP Server

The worm opens a random port between 1024 and 10000 and acts like a web server (HTTP server). If the remote machine is exploited successfully, the victim will connect back to the http server and download a worm copy.

2.Resets System Restore Point

The worm may call an API function to reset the computer’s system restore point, potentially defeating recovery using system restore.

3.Downloads Files
If the date is after November 25, 2008, this worm will build a URL in the following format and attempt to download a file from it:
<random ip?>/search?q=%d&aq=7

If the date is after December 1, 2008 Win32/Conficker.A will attempt to download a file ‘loadadv.exe’ from the domain ‘trafficconverter.biz’.

Free Conficker Worm Removal Tools:

  1. Avert Stinger Standalone tool
  2. F-Secure Worm:W32/Downadup.AL Removal Tool
  3. Symantec W32.Downadup Removal Tool
  4. Enigma Conficker Worm Removal tool
  5. Conficker Single PC Removal Tool
  6. Conficker Network Removal Tool

Install Microsoft Released Security Patch for Conficker Worm MS08-067.

About Praveen

I loving blogging & staying updated with latest Geek Stuffs. Website:www.geekyard.com

>