locked
Conficker.D Released RRS feed

  • General discussion

  • Hi everybody:

    Win32/Conficker.D is now in the wild and it's more aggressive than ever!

    Please read the complete Research note at:

    https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fConficker.D

     

    Terminates Processes
    Win32/Conficker.D polls the process list every one second for these strings and, if found, terminates them - note: for "*", see Additional Information section :
     
    autoruns - "Autoruns" program
    avenger - kernel-mode security program
    * bd_rem - "bd_rem_tool_console.exe" & "bd_rem_tool_gui.exe" programs
    * cfremo - Enigma Software "cfremover.exe" program
    confick - taken from the name 'Conficker'
    downad - taken from the name 'Downadup' alias 'Conficker'
    filemon - "File Monitor" program
    gmer - rootkit detection program
    hotfix - security update
    kb890 - Microsoft KB article, includes MSRT
    kb958 - Microsoft KB article, includes MS08-067
    kido - taken from the name 'Kido', another 'Conficker' alias
    * kill - utility used to terminate other processes
    klwk - Kaspersky program
    mbsa. - "Microsoft Baseline Security Analyzer" program
    mrt. - "Microsoft Malicious Software Removal Tool" program
    mrtstub - "Microsoft Malicious Software Removal Tool" program
    ms08-06 - Microsoft Security Update MS08-067

    procexp - "Process Explorer" program
    procmon - "Process Monitor" program
    regmon - "Registry Monitor" program

    scct_ - Sophos Conficker Cleanup tool
    * stinger - McAfee tool
    sysclean - Trend Micro tool
    tcpview - tool used to view TCP connection and traffic
    unlocker - tool used to unlock locked files or folders
    wireshark - network protocol analyzer tool
     
    Blocks Access to Web Sites
    Win32/Conficker.D hooks DNSAPI.DLL to prevent access to Web sites containing the following strings in the URL - note: for "*", see Additional Information section :
     
    * activescan
    * adware
    agnitum
    ahnlab
    anti-
    antivir
    arcabit
    * av-sc
    avast
    avgate
    avira
    * bdtools
    bothunter
    castlecops
    ccollomb
    centralcommand
    clamav
    comodo
    computerassociates
    conficker
    cpsecure
    cyber-ta
    defender
    downad
    drweb
    dslreports
    emsisoft
    esafe
    eset
    etrust
    ewido
    f-prot
    f-secure
    fortinet
    free-av
    freeav
    gdata
    grisoft
    hackerwatch
    hacksoft
    hauri
    ikarus
    jotti
    k7computing
    kaspersky
    kido
    malware
    mcafee
    microsoft
    mirage
    * mitre.
    * ms-mvp
    msftncsi
    msmvps
    mtc.sri
    networkassociates
    nod32
    norman
    norton
    onecare
    panda
    pctools
    * precisesecurity
    prevx
    ptsecurity
    quickheal
    removal
    rising
    rootkit
    safety.live
    securecomputing
    secureworks
    sophos
    spamhaus
    spyware
    sunbelt
    symantec
    technet
    threat
    threatexpert
    trendmicro
    trojan
    virscan
    virus
    wilderssecurity
    windowsupdate
     
    Win32/Conficker.D may cause browser time-outs when a user attempts to access Web sites with URLs containing any of the following strings:
     
    avg.
    avp.
    bit9.
    ca.
    cert.
    gmer.
    kav.
    llnw.
    llnwd.
    msdn.
    msft.
    nai.
    sans.
    vet.

     

    Aliases

    • Win32/Conficker.worm.88064 (AhnLab )
    • Win32.Worm.Downadup.Gen (BitDefender )
    • Win32/Conficker.C (CA )
    • Win32/Conficker.X (ESET )
    • Trojan.Win32.Pakes.ngs (Kaspersky )
    • W32/Conficker.worm.gen.c (McAfee )
    • W32/Conficker.D.worm (Panda )
    • W32/Confick-G (Sophos )
    • W32.Downadup.C (Symantec )

     

    Symptoms

    System Changes
    The following system changes may indicate the presence of this malware:
    • The lack of response from, or the termination of, the following services:
      • Windows Security Center Service (wscsvc) – notifies users of security settings (e.g. Windows update, Firewall and Antivirus)
      • Windows Update Auto Update Service (wuauserv)
      • Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
      • Windows Defender (WinDefend)
      • Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
      • Windows Error Reporting Service (wersvc)
    • Users may not be able to run applications containing the following strings:

      autoruns
      avenger
      bd_rem
      cfremo
      confick
      downad
      filemon
      gmer
      hotfix
      kb890
      kb958
      kido
      kill
      klwk
      mbsa.
      mrt.
      mrtstub
      ms08-06
      procexp
      procmon
      regmon
      scct_
      stinger
      sysclean
      tcpview
      unlocker
      wireshark
    • Users may not be able to browse certain security-related Web sites with URLs that contain any of the following strings:

      activescan
      adware
      agnitum
      ahnlab
      anti-
      antivir
      arcabit
      av-sc
      avast
      avgate
      avira
      bdtools
      bothunter
      castlecops
      ccollomb
      centralcommand
      clamav
      comodo
      computerassociates
      conficker
      cpsecure
      cyber-ta
      defender
      downad
      drweb
      dslreports
      emsisoft
      esafe
      eset
      etrust
      ewido
      f-prot
      f-secure
      fortinet
      free-av
      freeav
      gdata
      grisoft
      hackerwatch
      hacksoft
      hauri
      ikarus
      jotti
      k7computing
      kaspersky
      kido
      malware
      mcafee
      microsoft
      mirage
      mitre.
      ms-mvp
      msftncsi
      msmvps
      mtc.sri
      networkassociates
      nod32
      norman
      norton
      onecare
      panda
      pctools
      precisesecurity
      prevx
      ptsecurity
      quickheal
      removal
      rising
      rootkit
      safety.live
      securecomputing
      secureworks
      sophos
      spamhaus
      spyware
      sunbelt
      symantec
      technet
      threat
      threatexpert
      trendmicro
      trojan
      virscan
      virus
      wilderssecurity
      windowsupdate
    • Users may experience a Web browser time-out error when attempting to access URLs containing the following strings:
    • avg.
      avp.
      bit9.
      ca.
      cert.
      gmer.
      kav.
      llnw.
      llnwd.
      msdn.
      msft.
      nai.
      sans.
      vet.

     

     

     

    Regards,

    Victor Homocea

    Thursday, March 25, 2010 7:44 AM

All replies

  • ??? I'm afraid it's actually been a year since Conficker.D now :)


    Oguzhan Filizlibay | Security Escalation Engineer | Microsoft EMEA CSS Security
    Thursday, March 25, 2010 4:49 PM
  • Hi Oguzhan,

    I must admit that you are right! (I didn't pay any attention to the year) :)

    Can we delete the post just not to misinform other users?

     

    PS: I didn't knew about .D version and its modifications until now. We still have across our network some A and B versions...

     

     

    Regards,

    Victor

    Friday, March 26, 2010 6:07 AM
  • Hi Oguzhan,

    I must admit that you are right! (I didn't pay any attention to the year) :)

    Can we delete the post just not to misinform other users?

     

    PS: I didn't knew about .D version and its modifications until now. We still have across our network some A and B versions...

     

     

    Regards,

    Victor

    We have this on our network and it is causing user account lockouts in AD.  Is there a way to reset the local machine administrator password for all the machines in the domain using Group Policy?  Is there any tool to find out which machines are causing the user account lockouts?


    Wednesday, October 10, 2012 9:02 PM