![](http://headlineslist.com/images/banner.gif)
My computer is not up to date, will the conficker affect my computer?
|
02-28-2013, 11:16 PM
Post: #3
|
|||
|
|||
General Methods of propagation:
• Local network • Mapped network drives Aliases: • Symantec: W32.Downadup.B • Kaspersky: Net-Worm.Win32.Kido.fw • F-Secure: Worm:W32/Downadup.gen!A • Sophos: Mal/Conficker-A • Panda: Trj/Downloader.MDW • Grisoft: I-Worm/Generic.CJY • Eset: a variant of Win32/Conficker.AE worm • Bitdefender: Win32.Worm.Downadup.Gen Similar detection: • Worm/Kido Platforms / OS: • Windows 95 • Windows 98 • Windows 98 SE • Windows NT • Windows ME • Windows 2000 • Windows XP • Windows 2003 Side effects: • Registry modification • Makes use of software vulnerability • Third party control Files It copies itself to the following locations: • %all shared folders% \RECYCLER\S-%number%\%random character string%.vmx • %ProgramFiles%\Internet Explorer\%random character string%.dll • %ProgramFiles%\Movie Maker\%random character string%.dll • %System%\%random character string%.dll • %Temp%\%random character string%.dll • %ALLUSERSPROFILE%\Application Data\%random character string%.dll The following file is created: – %all shared folders%\autorun.inf This is a non malicious text file with the following content: • %random comments% shellexecute rundll32.exe %paths and filenames of malware copies%,%random character string% %random comments% Registry The following registry keys are added in order to load the service after reboot: – HKLM\SYSTEM\CurrentControlSet\Services\%random words%\ Parameters\ • ServiceDll" = "%paths and filenames of malware copies%" – HKLM\SYSTEM\CurrentControlSet\Services\%random words%\ • "ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs "Type" = "4" "Start" = "4" "ErrorControl" = "4" The following registry keys are changed: – [HKLM\SYSTEM\CurrentControlSet\Services\wscsvc] Old value: • "Start"=dword:00000003 New value: • "Start"=dword:00000004 – [HKLM\SYSTEM\CurrentControlSet\Services\wuauserv] Old value: • "Start"=dword:00000003 New value: • "Start"=dword:00000004 – [HKLM\SYSTEM\CurrentControlSet\Services\BITS] Old value: • "Start"=dword:00000003 New value: • "Start"=dword:00000004 – [HKLM\SYSTEM\CurrentControlSet\Services\ERSvc] Old value: • "Start"=dword:00000003 New value: • "Start"=dword:00000004 – HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced New value: • "Hidden"=dword:00000002 "ShowCompColor"=dword:00000001 "HideFileExt"=dword:00000000 "DontPrettyPath"=dword:00000000 "ShowInfoTip"=dword:00000001 "HideIcons"=dword:00000000 "MapNetDrvBtn"=dword:00000000 "WebView"=dword:00000000 "Filter"=dword:00000000 "SuperHidden"=dword:00000000 "SeparateProcess"=dword:00000000 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below. IP address generation: It creates random IP addresses while it keeps the first three octets from its own address. Afterwards it tries to establish a connection with the created addresses. Infection process: It makes the compromised machine download the malware from the infected source computer. The downloaded file is stored on the compromised machine as: .\RECYCLER\S-%number%\%random character string%.vmx Hosts – Access to the following domains is effectively blocked: • ahnlab; arcabit; avast; avg.; avira; avp.; bit9.; ca.; castlecops; centralcommand; cert.; clamav; comodo; computerassociates; cpsecure; defender; drweb; emsisoft; esafe; eset; etrust; ewido; f-prot; f-secure; fortinet; gdata; grisoft; hacksoft; hauri; ikarus; jotti; k7computing; kaspersky; malware; mcafee; microsoft; nai.; networkassociates; nod32; norman; norton; panda; pctools; prevx; quickheal; rising; rootkit; sans.; securecomputing; sophos; spamhaus; spyware; sunbelt; symantec; threatexpert; trendmicro; vet.; virus; wilderssecurity; windowsupdate Miscellaneous Internet connection: In order to check for its internet connection the following DNS servers are contacted: • http://www.getmyip.org • http://www.whatsmyipaddress.com • http://getmyip.co.uk • http://checkip.dyndns.org Checks for an internet connection by contacting the following web sites: • baidu.com; google.com; yahoo.com; msn.com; ask.com; w3.org; aol.com; cnn.com; ebay.com; msn.com; myspace.com File patching: In order to increase the number of maximum connections it has the capability to modify the tcpip.sys. It may result in a corruption of that file and break network connectivity. Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user. Method used: |
|||
« Next Oldest | Next Newest »
|
Messages In This Thread |
My computer is not up to date, will the conficker affect my computer? - Edris - 02-28-2013, 11:08 PM
[] - Martial H - 02-28-2013 11:16 PM
[] - The Angry Grandma - 02-28-2013, 11:16 PM
|
User(s) browsing this thread: 2 Guest(s)