Conficker.A
Threat LevelDamageDistribution

Effects 

Conficker.A is designed to download the rogue antimalware detected as Adware/Antivirus2009 to the affected computer. In order to do so, it exploits a vulnerability in the Windows Server Service which allows remote code execution. It is the vulnerability MS08-067.

Infection strategy 

Conficker.A creates a DLL (Dynamic Link Library) with random name in the Windows system directory.

Conficker.A creates the following entry in the Windows Registry:

• HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ netsvcs\ Parameters
  ServiceDll = %sysdir%\%random name%.dll
  where %sysdir% is the Windows system directory.

Means of transmission 

Conficker.A spreads by exploiting the vulnerability called MS08-067, which is a vulnerability in the Windows server service. In order to do so, it follows the routine below:

• It connects to the following websites in order to obtain IP addresses:
  http://www.getmyip.org
  http://getmyip.co.uk
  http://checkip.dyndns.org
• It scans the IP addresses it has gathered in search for computers which have the port number 445 opened. This port belongs to the RPC service, which is the vulnerable component.
• If it finds any, it downloads a copy of itself to the attacked computer.

Further Details  

Conficker.A is 62,976 bytes in size and it is compressed with UPX.

Additionally, it attempts to download the files GEOIP.DAT.GZ and GEOIP.DAT  from the following website:

http://www.maxmind.com

These files are not malicious, they belong to a program which locates IP addresses in the world. Conficker.A uses this program to obtain information about the geographical area of the attacked IP addresses.