Twitist Forums / Facebook forums / Facebook apps v / My computer is not up to date, will the conficker affect my computer?



This Forum has been archived there is no more new posts or threads ... use this link to report any abusive content
==> Report abusive content in this page <==
Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
My computer is not up to date, will the conficker affect my computer?
02-28-2013, 11:16 PM
Post: #3
Martial H Offline
Newbie
*
 		Posts: 0
Joined: May 2012
Reputation: 0
 
General Methods of propagation:
• Local network
• Mapped network drives


Aliases:
• Symantec: W32.Downadup.B
• Kaspersky: Net-Worm.Win32.Kido.fw
• F-Secure: Worm:W32/Downadup.gen!A
• Sophos: Mal/Conficker-A
• Panda: Trj/Downloader.MDW
• Grisoft: I-Worm/Generic.CJY
• Eset: a variant of Win32/Conficker.AE worm
• Bitdefender: Win32.Worm.Downadup.Gen

Similar detection:
• Worm/Kido


Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003


Side effects:
• Registry modification
• Makes use of software vulnerability
• Third party control

Files It copies itself to the following locations:
• %all shared folders% \RECYCLER\S-%number%\%random character string%.vmx
• %ProgramFiles%\Internet Explorer\%random character string%.dll
• %ProgramFiles%\Movie Maker\%random character string%.dll
• %System%\%random character string%.dll
• %Temp%\%random character string%.dll
• %ALLUSERSPROFILE%\Application Data\%random character string%.dll



The following file is created:

– %all shared folders%\autorun.inf This is a non malicious text file with the following content:
• %random comments%
shellexecute rundll32.exe %paths and filenames of malware copies%,%random character string%
%random comments%

Registry The following registry keys are added in order to load the service after reboot:

– HKLM\SYSTEM\CurrentControlSet\Services\%random words%\
Parameters\
• ServiceDll" = "%paths and filenames of malware copies%"

– HKLM\SYSTEM\CurrentControlSet\Services\%random words%\
• "ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs
"Type" = "4"
"Start" = "4"
"ErrorControl" = "4"



The following registry keys are changed:

– [HKLM\SYSTEM\CurrentControlSet\Services\wscsvc]
Old value:
• "Start"=dword:00000003
New value:
• "Start"=dword:00000004

– [HKLM\SYSTEM\CurrentControlSet\Services\wuauserv]
Old value:
• "Start"=dword:00000003
New value:
• "Start"=dword:00000004

– [HKLM\SYSTEM\CurrentControlSet\Services\BITS]
Old value:
• "Start"=dword:00000003
New value:
• "Start"=dword:00000004

– [HKLM\SYSTEM\CurrentControlSet\Services\ERSvc]
Old value:
• "Start"=dword:00000003
New value:
• "Start"=dword:00000004

– HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
New value:
• "Hidden"=dword:00000002
"ShowCompColor"=dword:00000001
"HideFileExt"=dword:00000000
"DontPrettyPath"=dword:00000000
"ShowInfoTip"=dword:00000001
"HideIcons"=dword:00000000
"MapNetDrvBtn"=dword:00000000
"WebView"=dword:00000000
"Filter"=dword:00000000
"SuperHidden"=dword:00000000
"SeparateProcess"=dword:00000000

Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


IP address generation:
It creates random IP addresses while it keeps the first three octets from its own address. Afterwards it tries to establish a connection with the created addresses.


Infection process:
It makes the compromised machine download the malware from the infected source computer.
The downloaded file is stored on the compromised machine as: .\RECYCLER\S-%number%\%random character string%.vmx

Hosts – Access to the following domains is effectively blocked:
• ahnlab; arcabit; avast; avg.; avira; avp.; bit9.; ca.; castlecops;
centralcommand; cert.; clamav; comodo; computerassociates; cpsecure;
defender; drweb; emsisoft; esafe; eset; etrust; ewido; f-prot;
f-secure; fortinet; gdata; grisoft; hacksoft; hauri; ikarus; jotti;
k7computing; kaspersky; malware; mcafee; microsoft; nai.;
networkassociates; nod32; norman; norton; panda; pctools; prevx;
quickheal; rising; rootkit; sans.; securecomputing; sophos; spamhaus;
spyware; sunbelt; symantec; threatexpert; trendmicro; vet.; virus;
wilderssecurity; windowsupdate


Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:
• http://www.getmyip.org
• http://www.whatsmyipaddress.com
• http://getmyip.co.uk
• http://checkip.dyndns.org


Checks for an internet connection by contacting the following web sites:
• baidu.com; google.com; yahoo.com; msn.com; ask.com; w3.org; aol.com;
cnn.com; ebay.com; msn.com; myspace.com


File patching:
In order to increase the number of maximum connections it has the capability to modify the tcpip.sys. It may result in a corruption of that file and break network connectivity.

Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.


Method used:
Find all posts by this user
Quote this message in a reply
Post Reply 


Messages In This Thread
[] - Jon J - 02-28-2013, 11:16 PM
[] - Martial H - 02-28-2013 11:16 PM
[] - BillM - 02-28-2013, 11:16 PM
[] - The Angry Grandma - 02-28-2013, 11:16 PM

Forum Jump:


User(s) browsing this thread: 2 Guest(s)

Contact Us | Twitist Forums | Return to Top | Return to Content | Lite (Archive) Mode | RSS Syndication