Worm:Win32/Conficker.A is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled.
The worm adjusts the file time of the dropped DLL worm copy to the same as the system’s kernel32.dll file time to mask forensic evidence of infection time. The registry is modified to execute the dropped DLL worm copy as a service.
To subkey: HKLM\SYSTEM\ControlSet001\Services\vcdrlxeu\Parameters
It Spreads Via…Networked Computers
Win32/Conficker.A avoids infecting Ukrainian located computers.
Payloads
The worm opens a random port between 1024 and 10000 and acts like a web server (HTTP server). If the remote machine is exploited successfully, the victim will connect back to the http server and download a worm copy.
The worm may call an API function to reset the computer’s system restore point, potentially defeating recovery using system restore.
If the date is after December 1, 2008 Win32/Conficker.A will attempt to download a file ‘loadadv.exe’ from the domain ‘trafficconverter.biz’.
Free Conficker Worm Removal Tools:
- Avert Stinger Standalone tool
- F-Secure Worm:W32/Downadup.AL Removal Tool
- Symantec W32.Downadup Removal Tool
- Enigma Conficker Worm Removal tool
- Conficker Single PC Removal Tool
- Conficker Network Removal Tool
Install Microsoft Released Security Patch for Conficker Worm MS08-067.