Asked by:
Conficker.D Released

General discussion
-
Hi everybody:
Win32/Conficker.D is now in the wild and it's more aggressive than ever!
Please read the complete Research note at:
Terminates ProcessesWin32/Conficker.D polls the process list every one second for these strings and, if found, terminates them - note: for "*", see Additional Information section :autoruns - "Autoruns" program
avenger - kernel-mode security program* bd_rem - "bd_rem_tool_console.exe" & "bd_rem_tool_gui.exe" programs* cfremo - Enigma Software "cfremover.exe" program
confick - taken from the name 'Conficker'
downad - taken from the name 'Downadup' alias 'Conficker'
filemon - "File Monitor" program
gmer - rootkit detection program
hotfix - security update
kb890 - Microsoft KB article, includes MSRT
kb958 - Microsoft KB article, includes MS08-067
kido - taken from the name 'Kido', another 'Conficker' alias
* kill - utility used to terminate other processes
klwk - Kaspersky programmbsa. - "Microsoft Baseline Security Analyzer" program
mrt. - "Microsoft Malicious Software Removal Tool" program
mrtstub - "Microsoft Malicious Software Removal Tool" program
ms08-06 - Microsoft Security Update MS08-067
procexp - "Process Explorer" program
procmon - "Process Monitor" program
regmon - "Registry Monitor" program
scct_ - Sophos Conficker Cleanup tool* stinger - McAfee tool
sysclean - Trend Micro tool
tcpview - tool used to view TCP connection and traffic
unlocker - tool used to unlock locked files or folders
wireshark - network protocol analyzer toolBlocks Access to Web SitesWin32/Conficker.D hooks DNSAPI.DLL to prevent access to Web sites containing the following strings in the URL - note: for "*", see Additional Information section :* activescan
* adware
agnitum
ahnlab
anti-
antivir
arcabit* av-sc
avast
avgate
avira* bdtools
bothunter
castlecops
ccollomb
centralcommand
clamav
comodo
computerassociates
conficker
cpsecure
cyber-ta
defender
downad
drweb
dslreports
emsisoft
esafe
eset
etrust
ewido
f-prot
f-secure
fortinet
free-av
freeav
gdata
grisoft
hackerwatch
hacksoft
hauri
ikarus
jotti
k7computing
kaspersky
kido
malware
mcafee
microsoft
mirage* mitre.* ms-mvp
msftncsi
msmvps
mtc.sri
networkassociates
nod32
norman
norton
onecare
panda
pctools* precisesecurity
prevx
ptsecurity
quickheal
removal
rising
rootkit
safety.live
securecomputing
secureworks
sophos
spamhaus
spyware
sunbelt
symantec
technet
threat
threatexpert
trendmicro
trojan
virscan
virus
wilderssecurity
windowsupdateWin32/Conficker.D may cause browser time-outs when a user attempts to access Web sites with URLs containing any of the following strings:avg.
avp.
bit9.
ca.
cert.
gmer.
kav.
llnw.
llnwd.
msdn.
msft.
nai.
sans.
vet.Aliases
-
Win32/Conficker.worm.88064 (AhnLab )
- Win32.Worm.Downadup.Gen (BitDefender )
- Win32/Conficker.C (CA )
- Win32/Conficker.X (ESET )
- Trojan.Win32.Pakes.ngs (Kaspersky )
- W32/Conficker.worm.gen.c (McAfee )
- W32/Conficker.D.worm (Panda )
- W32/Confick-G (Sophos )
- W32.Downadup.C (Symantec )
Symptoms
System Changes
The following system changes may indicate the presence of this malware:- The lack of response from, or the termination of, the following services:
- Windows Security Center Service (wscsvc) – notifies users of security settings (e.g. Windows update, Firewall and Antivirus)
- Windows Update Auto Update Service (wuauserv)
- Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
- Windows Defender (WinDefend)
- Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
- Windows Error Reporting Service (wersvc)
- Users may not be able to run applications containing the following strings:
autoruns
avenger
bd_rem
cfremo
confick
downad
filemon
gmer
hotfix
kb890
kb958
kido
kill
klwk
mbsa.
mrt.
mrtstub
ms08-06
procexp
procmon
regmon
scct_
stinger
sysclean
tcpview
unlocker
wireshark - Users may not be able to browse certain security-related Web sites with URLs that contain any of the following strings:
activescan
adware
agnitum
ahnlab
anti-
antivir
arcabit
av-sc
avast
avgate
avira
bdtools
bothunter
castlecops
ccollomb
centralcommand
clamav
comodo
computerassociates
conficker
cpsecure
cyber-ta
defender
downad
drweb
dslreports
emsisoft
esafe
eset
etrust
ewido
f-prot
f-secure
fortinet
free-av
freeav
gdata
grisoft
hackerwatch
hacksoft
hauri
ikarus
jotti
k7computing
kaspersky
kido
malware
mcafee
microsoft
mirage
mitre.
ms-mvp
msftncsi
msmvps
mtc.sri
networkassociates
nod32
norman
norton
onecare
panda
pctools
precisesecurity
prevx
ptsecurity
quickheal
removal
rising
rootkit
safety.live
securecomputing
secureworks
sophos
spamhaus
spyware
sunbelt
symantec
technet
threat
threatexpert
trendmicro
trojan
virscan
virus
wilderssecurity
windowsupdate - Users may experience a Web browser time-out error when attempting to access URLs containing the following strings:
avg.
avp.
bit9.
ca.
cert.
gmer.
kav.
llnw.
llnwd.
msdn.
msft.
nai.
sans.
vet.
Regards,
Victor Homocea
Thursday, March 25, 2010 7:44 AM
All replies
-
??? I'm afraid it's actually been a year since Conficker.D now :)
Oguzhan Filizlibay | Security Escalation Engineer | Microsoft EMEA CSS SecurityThursday, March 25, 2010 4:49 PM -
Hi Oguzhan,
I must admit that you are right! (I didn't pay any attention to the year) :)
Can we delete the post just not to misinform other users?
PS: I didn't knew about .D version and its modifications until now. We still have across our network some A and B versions...
Regards,
Victor
Friday, March 26, 2010 6:07 AM -
Hi Oguzhan,
I must admit that you are right! (I didn't pay any attention to the year) :)
Can we delete the post just not to misinform other users?
PS: I didn't knew about .D version and its modifications until now. We still have across our network some A and B versions...
Regards,
Victor
We have this on our network and it is causing user account lockouts in AD. Is there a way to reset the local machine administrator password for all the machines in the domain using Group Policy? Is there any tool to find out which machines are causing the user account lockouts?
Wednesday, October 10, 2012 9:02 PM