Conficker.D Released

• General discussion

• 

  

  0

  Sign in to vote

  Hi everybody:

  Win32/Conficker.D is now in the wild and it's more aggressive than ever!

  Please read the complete Research note at:

  https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fConficker.D

   

  Terminates Processes

  Win32/Conficker.D polls the process list every one second for these strings and, if found, terminates them - note: for "*", see Additional Information section :

   

  autoruns - "Autoruns" program
  avenger - kernel-mode security program

  * bd_rem - "bd_rem_tool_console.exe" & "bd_rem_tool_gui.exe" programs

  * cfremo - Enigma Software "cfremover.exe" program
  confick - taken from the name 'Conficker'
  downad - taken from the name 'Downadup' alias 'Conficker'
  filemon - "File Monitor" program
  gmer - rootkit detection program
  hotfix - security update
  kb890 - Microsoft KB article, includes MSRT
  kb958 - Microsoft KB article, includes MS08-067
  kido - taken from the name 'Kido', another 'Conficker' alias
  * kill - utility used to terminate other processes
  klwk - Kaspersky program

  mbsa. - "Microsoft Baseline Security Analyzer" program
  mrt. - "Microsoft Malicious Software Removal Tool" program
  mrtstub - "Microsoft Malicious Software Removal Tool" program
  ms08-06 - Microsoft Security Update MS08-067
  procexp - "Process Explorer" program
  procmon - "Process Monitor" program
  regmon - "Registry Monitor" program
  scct_ - Sophos Conficker Cleanup tool

  * stinger - McAfee tool
  sysclean - Trend Micro tool
  tcpview - tool used to view TCP connection and traffic
  unlocker - tool used to unlock locked files or folders
  wireshark - network protocol analyzer tool

   

  Blocks Access to Web Sites

  Win32/Conficker.D hooks DNSAPI.DLL to prevent access to Web sites containing the following strings in the URL - note: for "*", see Additional Information section :

   

  * activescan
  * adware
  agnitum
  ahnlab
  anti-
  antivir
  arcabit

  * av-sc
  avast
  avgate
  avira

  * bdtools
  bothunter
  castlecops
  ccollomb
  centralcommand
  clamav
  comodo
  computerassociates
  conficker
  cpsecure
  cyber-ta
  defender
  downad
  drweb
  dslreports
  emsisoft
  esafe
  eset
  etrust
  ewido
  f-prot
  f-secure
  fortinet
  free-av
  freeav
  gdata
  grisoft
  hackerwatch
  hacksoft
  hauri
  ikarus
  jotti
  k7computing
  kaspersky
  kido
  malware
  mcafee
  microsoft
  mirage

  * mitre.

  * ms-mvp
  msftncsi
  msmvps
  mtc.sri
  networkassociates
  nod32
  norman
  norton
  onecare
  panda
  pctools

  * precisesecurity
  prevx
  ptsecurity
  quickheal
  removal
  rising
  rootkit
  safety.live
  securecomputing
  secureworks
  sophos
  spamhaus
  spyware
  sunbelt
  symantec
  technet
  threat
  threatexpert
  trendmicro
  trojan
  virscan
  virus
  wilderssecurity
  windowsupdate

   

  Win32/Conficker.D may cause browser time-outs when a user attempts to access Web sites with URLs containing any of the following strings:

   

  avg.
  avp.
  bit9.
  ca.
  cert.
  gmer.
  kav.
  llnw.
  llnwd.
  msdn.
  msft.
  nai.
  sans.
  vet.

   

  Aliases

  Win32/Conficker.worm.88064 (AhnLab )
  • Win32.Worm.Downadup.Gen (BitDefender )
  • Win32/Conficker.C (CA )
  • Win32/Conficker.X (ESET )
  • Trojan.Win32.Pakes.ngs (Kaspersky )
  • W32/Conficker.worm.gen.c (McAfee )
  • W32/Conficker.D.worm (Panda )
  • W32/Confick-G (Sophos )
  • W32.Downadup.C (Symantec )

   

  Symptoms

  System Changes

  The following system changes may indicate the presence of this malware:

  • The lack of response from, or the termination of, the following services:
    • Windows Security Center Service (wscsvc) – notifies users of security settings (e.g. Windows update, Firewall and Antivirus)
    • Windows Update Auto Update Service (wuauserv)
    • Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
    • Windows Defender (WinDefend)
    • Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
    • Windows Error Reporting Service (wersvc)
  • Users may not be able to run applications containing the following strings:
    
    autoruns
    avenger
    bd_rem
    cfremo
    confick
    downad
    filemon
    gmer
    hotfix
    kb890
    kb958
    kido
    kill
    klwk
    mbsa.
    mrt.
    mrtstub
    ms08-06
    procexp
    procmon
    regmon
    scct_
    stinger
    sysclean
    tcpview
    unlocker
    wireshark
  • Users may not be able to browse certain security-related Web sites with URLs that contain any of the following strings:
    
    activescan
    adware
    agnitum
    ahnlab
    anti-
    antivir
    arcabit
    av-sc
    avast
    avgate
    avira
    bdtools
    bothunter
    castlecops
    ccollomb
    centralcommand
    clamav
    comodo
    computerassociates
    conficker
    cpsecure
    cyber-ta
    defender
    downad
    drweb
    dslreports
    emsisoft
    esafe
    eset
    etrust
    ewido
    f-prot
    f-secure
    fortinet
    free-av
    freeav
    gdata
    grisoft
    hackerwatch
    hacksoft
    hauri
    ikarus
    jotti
    k7computing
    kaspersky
    kido
    malware
    mcafee
    microsoft
    mirage
    mitre.
    ms-mvp
    msftncsi
    msmvps
    mtc.sri
    networkassociates
    nod32
    norman
    norton
    onecare
    panda
    pctools
    precisesecurity
    prevx
    ptsecurity
    quickheal
    removal
    rising
    rootkit
    safety.live
    securecomputing
    secureworks
    sophos
    spamhaus
    spyware
    sunbelt
    symantec
    technet
    threat
    threatexpert
    trendmicro
    trojan
    virscan
    virus
    wilderssecurity
    windowsupdate
  • Users may experience a Web browser time-out error when attempting to access URLs containing the following strings:
  avg.
  avp.
  bit9.
  ca.
  cert.
  gmer.
  kav.
  llnw.
  llnwd.
  msdn.
  msft.
  nai.
  sans.
  vet.

  
  

   

   

   

  Regards,

  Victor Homocea

  Thursday, March 25, 2010 7:44 AM