Conficker Variant Details, Symptoms, and Precautionary Measures

By  |  March 31, 2009  |  Comment!

Conficker D


Win32/Conficker.D is a variant of Win32/Conficker. Conficker.D infects the local computer, terminates services, blocks access to numerous security related Web sites and downloads arbitrary code.
Conficker.D can relay command instructions to other Conficker.D infected computers via built-in peer-to-peer (P2P) communication. This variant does not spread to removable drives or shared folders across a network (as with previous variants).

Conficker D is installed by previous variants of Win32/Conficker. Other variants of Win32/Conficker infect computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE).

If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords.
The following system changes may indicate the presence of this malware:

  • The lack of response from, or the termination of, the following services:
  • Windows Security Center Service (wscsvc) – notifies users of security settings (e.g. Windows update, Firewall and Antivirus)
  • Windows Update Auto Update Service (wuauserv)
  • Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
  • Windows Defender (WinDefend)
  • Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
  • Windows Error Reporting Service (wersvc)

Users may not be able to run applications containing the following strings:

  • autoruns
  • avenger
  • confick
  • downad
  • filemon
  • gmer
  • hotfix
  • kb890
  • kb958
  • kido
  • klwk
  • mbsa.
  • mrt.
  • mrtstub
  • ms08-06
  • procexp
  • procmon
  • regmon
  • scct_
  • sysclean
  • tcpview
  • unlocker
  • wireshark
  • Users may not be able to browse certain security-related Web sites with URLs that contain any of the following strings:
  • agnitum
  • ahnlab
  • anti-
  • antivir
  • arcabit
  • avast
  • avgate
  • avira
  • bothunter
  • castlecops
  • ccollomb
  • centralcommand
  • clamav
  • comodo
  • computerassociates
  • conficker
  • cpsecure
  • cyber-ta
  • defender
  • downad
  • drweb
  • dslreports
  • emsisoft
  • esafe
  • eset
  • etrust
  • ewido
  • f-prot
  • f-secure
  • fortinet
  • free-av
  • freeav
  • gdata
  • grisoft
  • hackerwatch
  • hacksoft
  • hauri
  • ikarus
  • jotti
  • k7computing
  • kaspersky
  • kido
  • malware
  • mcafee
  • microsoft
  • mirage
  • msftncsi
  • msmvps
  • mtc.sri
  • networkassociates
  • nod32
  • norman
  • norton
  • onecare
  • panda
  • pctools
  • prevx
  • ptsecurity
  • quickheal
  • removal
  • rising
  • rootkit
  • safety.live
  • securecomputing
  • secureworks
  • sophos
  • spamhaus
  • spyware
  • sunbelt
  • symantec
  • technet
  • threat
  • threatexpert
  • trendmicro
  • trojan
  • virscan
  • virus
  • wilderssecurity
  • windowsupdate
  • Users may experience a Web browser time-out error when attempting to access URLs containing the following strings:
  • avg.
  • avp.
  • bit9.
  • ca.
  • cert.
  • gmer.
  • kav.
  • llnw.
  • llnwd.
  • msdn.
  • msft.
  • nai.
  • sans.
  • vet.

< Previous Page — 1 2 3 4 5

Related Posts


Around The Web

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>


Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: