Conficker Variant Details, Symptoms, and Precautionary Measures

By   /   Mar 31, 2009

What is Conficker Worm ?
Conficker is an Interesting and Smart self updating worm discovered in October 2008. It Exploits a known security problem in Windows Operating System. The Operating Systems vulnerable to Conficker Variant are Windows 2000, Windows Xp, Windows Vista, Windows Server 2003, Windows Server 2008, and the latest Operating System Windows 7 Beta also.

The danger posed by this worm can be measured from the fact that Microsoft has put 250,000 Bounty on the person who wrote the code of Conficker Variant. Various Versions of this Worm have infected millions of PC’s since october 2008.

Different Version of Conficker Worm

Conficker A also Known as:
TA08-297A (other)
CVE-2008-4250 (other)
VU827267 (other)
Win32/Conficker.worm.62976 (AhnLab)
Trojan.Downloader.JLIW (BitDefender)
Win32/Conficker.A (CA)
Win32/Conficker.A (ESET)
Trojan-Downloader.Win32.Agent.aqfw (Kaspersky)
W32/Conficker.worm (McAfee)
W32/Conficker.E (Norman)
W32/Confick-A (Sophos)
W32.Downadup (Symantec)
Trojan.Disken.B (VirusBuster)


Conficker B Also Known As:
TA08-297A (other)
CVE-2008-4250 (other)
VU827267 (other)
Win32/Conficker.A (CA)
Mal/Conficker-A (Sophos)
Trojan.Win32.Agent.bccs (Kaspersky)
W32.Downadup.B (Symantec)
Confickr (other)

Conficker C Also Know As:
TA08-297A (other)
CVE-2008-4250 (other)
VU827267 (other)
Conficker B++ (other)


Conficker D Also Know As:
Win32/Conficker.worm.88064 (AhnLab)
Win32.Worm.Downadup.Gen (BitDefender)
Win32/Conficker.C (CA)
Win32/Conficker.X (ESET)
Trojan.Win32.Pakes.ngs (Kaspersky)
W32/Conficker.worm.gen.c (McAfee)
W32/Conficker.D.worm (Panda)
W32/Confick-G (Sophos)
W32.Downadup.C (Symantec)

Precautionary Measures
1. Get MS08-067 Security Update by Microsoft if you have’nt already.
2. Disable the Auto Run.
3. Navigate to the autorun.reg file location, Open it and delete the following Registry Key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Conficker A
Win32/Conficker.A is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled.
Symptoms:

  • Creation of random files in %Sysdir% folder.
  • Sometimes creation of the following files have also been observed: -%Program Files%\Internet Explorer\[Random].dll -%Program Files%\Movie Maker\[Random].dll -%All Users Application Data%\[Random].dll -Temp%\[Random].dll
    -%System%\[Random].tmp
    -%Temp%\[Random].tmp
  • Creation of random services by modifying the following registry keys: -HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\”ServiceDll” = ”Path to worm” -HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\”ImagePath” = %SystemRoot %\system32\svchost.exe -k netsvcs
  • Creation of SMB(Server Message Block) session in port 445
  • Attempts to access the following websites: -hxxp://www.getmyip.org -hxxp://getmyip.co.uk -hxxp://checkip.dyndns.org -hxxp://whatsmyipaddress.com
  • Access to security related websited blocked.
  • Creation of scheduled tasks.
  • As with most virus infections, a significant slowdown of the system.

Conficker B
Win32/Conficker.B is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.
Conficker Worm B has implied new methods for avoiding detection that limited the original worms spread.

Conficker B infections post much more serious threat as compared to A as it was only discovered in mid febraury 2009 by SRI International that is has different method for avoiding rendezvous points that the original conficker worm was programmed to do.

The following system changes may indicate the presence of this malware:
The following services are disabled or fail to run:

  • Windows Update Service
  • Background Intelligent Transfer Service
  • Windows Defender
  • Windows Error Reporting Services
  • Some accounts may be locked out due to the following registry modification, which may flood the network with connections:
  • HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  • “TcpNumConnections” = “0x00FFFFFE”

Users may not be able to connect to websites or online services that contain the following strings:

  • virus
  • spyware
  • malware
  • rootkit
  • defender
  • microsoft
  • symantec
  • norton
  • mcafee
  • trendmicro
  • sophos
  • panda
  • etrust
  • networkassociates
  • computerassociates
  • f-secure
  • kaspersky
  • jotti
  • f-prot
  • nod32
  • eset
  • grisoft
  • drweb
  • centralcommand
  • ahnlab
  • esafe
  • avast
  • avira
  • quickheal
  • comodo
  • clamav
  • ewido
  • fortinet
  • gdata
  • hacksoft
  • hauri
  • ikarus
  • k7computing
  • norman
  • pctools
  • prevx
  • rising
  • securecomputing
  • sunbelt
  • emsisoft
  • arcabit
  • cpsecure
  • spamhaus
  • castlecops
  • threatexpert
  • wilderssecurity
  • windowsupdate

Conficker C

Win32/Conficker.C is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.
The following system changes may indicate the presence of this malware:
The following services are disabled or fail to run:

  • Windows Update Service
  • Background Intelligent Transfer Service
  • Windows Defender
  • Windows Error Reporting Services
  • Some accounts may be locked out due to the following registry modification, which may flood the network with connections: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  • “TcpNumConnections” = “0x00FFFFFE”

Users may not be able to connect to websites or online services that contain the following strings:

  • virus
  • spyware
  • malware
  • rootkit
  • defender
  • microsoft
  • symantec
  • norton
  • mcafee
  • trendmicro
  • sophos
  • panda
  • etrust
  • networkassociates
  • computerassociates
  • f-secure
  • kaspersky
  • jotti
  • f-prot
  • nod32
  • eset
  • grisoft
  • drweb
  • centralcommand
  • ahnlab
  • esafe
  • avast
  • avira
  • quickheal
  • comodo
  • clamav
  • ewido
  • fortinet
  • gdata
  • hacksoft
  • hauri
  • ikarus
  • k7computing
  • norman
  • pctools
  • prevx
  • rising
  • securecomputing
  • sunbelt
  • emsisoft
  • arcabit
  • cpsecure
  • spamhaus
  • castlecops
  • threatexpert
  • wilderssecurity
  • windowsupdate

Conficker D
Win32/Conficker.D is a variant of Win32/Conficker. Conficker.D infects the local computer, terminates services, blocks access to numerous security related Web sites and downloads arbitrary code.
Conficker.D can relay command instructions to other Conficker.D infected computers via built-in peer-to-peer (P2P) communication. This variant does not spread to removable drives or shared folders across a network (as with previous variants).

Conficker D is installed by previous variants of Win32/Conficker. Other variants of Win32/Conficker infect computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE).

If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords.
The following system changes may indicate the presence of this malware:

  • The lack of response from, or the termination of, the following services:
  • Windows Security Center Service (wscsvc) – notifies users of security settings (e.g. Windows update, Firewall and Antivirus)
  • Windows Update Auto Update Service (wuauserv)
  • Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
  • Windows Defender (WinDefend)
  • Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
  • Windows Error Reporting Service (wersvc)

Users may not be able to run applications containing the following strings:

  • autoruns
  • avenger
  • confick
  • downad
  • filemon
  • gmer
  • hotfix
  • kb890
  • kb958
  • kido
  • klwk
  • mbsa.
  • mrt.
  • mrtstub
  • ms08-06
  • procexp
  • procmon
  • regmon
  • scct_
  • sysclean
  • tcpview
  • unlocker
  • wireshark
  • Users may not be able to browse certain security-related Web sites with URLs that contain any of the following strings:
  • agnitum
  • ahnlab
  • anti-
  • antivir
  • arcabit
  • avast
  • avgate
  • avira
  • bothunter
  • castlecops
  • ccollomb
  • centralcommand
  • clamav
  • comodo
  • computerassociates
  • conficker
  • cpsecure
  • cyber-ta
  • defender
  • downad
  • drweb
  • dslreports
  • emsisoft
  • esafe
  • eset
  • etrust
  • ewido
  • f-prot
  • f-secure
  • fortinet
  • free-av
  • freeav
  • gdata
  • grisoft
  • hackerwatch
  • hacksoft
  • hauri
  • ikarus
  • jotti
  • k7computing
  • kaspersky
  • kido
  • malware
  • mcafee
  • microsoft
  • mirage
  • msftncsi
  • msmvps
  • mtc.sri
  • networkassociates
  • nod32
  • norman
  • norton
  • onecare
  • panda
  • pctools
  • prevx
  • ptsecurity
  • quickheal
  • removal
  • rising
  • rootkit
  • safety.live
  • securecomputing
  • secureworks
  • sophos
  • spamhaus
  • spyware
  • sunbelt
  • symantec
  • technet
  • threat
  • threatexpert
  • trendmicro
  • trojan
  • virscan
  • virus
  • wilderssecurity
  • windowsupdate
  • Users may experience a Web browser time-out error when attempting to access URLs containing the following strings:
  • avg.
  • avp.
  • bit9.
  • ca.
  • cert.
  • gmer.
  • kav.
  • llnw.
  • llnwd.
  • msdn.
  • msft.
  • nai.
  • sans.
  • vet.

Featured Videos