You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Conficker.D

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Conficker.D is designed to spread by exploiting a vulnerability in the Windows Server Service which allows remote code execution. It is the vulnerability MS08-067.

Additionally, Conficker.D carries out the following actions:

  • It checks the system date in the following web addresses:
    Ask.com
    Google.com
    Baidu.com
    Yahoo.com
    W3.org
    and if it is after April 1, 2009, the worm will attempt to connect to a website in order to download a malicious executable file.
  • It disables the following services:
    - Windows update, disabling the Windows updates.
    - BITS (Background Intelligent Transfer Service), which is a service to transfer Windows files.
    - Error reporting service, which allows to send Microsoft information about errors occurring in the operating system, Windows components and programs.
  • It intercepts the following APIs in order to control the Internet traffic and the websites visited by the user:
    - DNS_Query_A
    - DNS_Query_UTF8
    - DNS_Query_W
    - Query_Main
    - sendto
  • It prevents the user and the computer from connecting to the websites that contain any of the following text strings:
    ahnlab
    anti-
    antivir
    arcabit
    avast
    avg
    avgate
    avira
    avp
    bit9
    bothunter
    ca
    castlecops
    ccollomb
    centralcommand
    cert
    clamav
    comodo
    computerassociates
    cpsecure
    cyber-ta
    defender
    drweb
    dslreports
    emsisoft
    esafe
    eset
    etrust
    ewido
    fortinet
    f-prot
    freeav
    free-av
    f-secure
    gdata
    gmer
    grisoft
    hackerwatch
    hacksoft
    hauri
    ikarus
    jotti
    k7computing
    kaspersky
    kav
    llnw
    llnwd
    malware
    mcafee
    microsoft
    mirage
    msdn
    msft
    msftncsi
    msmvps
    mtc.sri
    nai
    networkassociates
    nod32
    norman
    norton
    onecare
    panda
    pctools
    prevx
    ptsecurity
    quickheal
    removal
    rising
    rootkit
    safety.live
    sans
    securecomputing
    secureworks
    sophos
    spamhaus
    spyware
    sunbelt
    symantec
    technet
    threat
    threatexpert
    trendmicro
    trojan
    vet
    virscan
    virus
    wilderssecurity
    windowsupdate
    As they are security related websites, the antivirus programs could not be updated and the user could not access the information of these pages.
  • It deletes the processes that have any of the following text strings:
    agnitum
    autoruns
    avenger
    confick
    downad
    filemon
    gmer
    hotfix
    kb890
    kb958
    kido
    klwk
    mbsa.
    mrt.
    mrtstub
    ms08-06
    procexp
    procmon
    regmon
    scct_
    sysclean
    tcpview
    unlocker
    wireshark
    These processes belong to security software. Therefore, the protection level of the computer would be considerably reduced.

Infection strategy 

Conficker.D creates a copy of itself with a random name in any of the following locations:

  • in the folder Internet Explorer of the Program files directory.
  • in the folder Movie Maker of the Program files directory.
  • in the folder Windows Media Player of the Program files directory.

 

Additionally, it creates a random DLL in the Windows system directory.

 

Conficker.D creates the following entries in the Windows Registry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    %random name% = rundll32.exe %random name of the DLL% export
    By creating this entry, Conficker.D ensures that it is run whenever Windows is started.
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\    %random service%
    Image Path = %sysdir%\svchost.exe -k netsvcs
    where %sysdir% is the Windows system directory.
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\netsvcs\Parameters
    ServiceDll =     %path of the copy of the worm%
    By creating these two entries, it is registered as a service.

 

Conficker.D deletes the following entries from the Windows Registry:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Windows Defender
    It prevents the Windows Defender from being run when Windows is started.
  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ ShellServiceObjects\ FD6905CE-952F-41F1-9A6F-135D9C6622CC
    Conficker.D disables the warnings from the Windows Security Alert.

 

Conficker.D deletes the subkeys from the following Windows Registry entry, in order to prevent the computer from being restarted in  Safe mode:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

Means of transmission 

Conficker.D spreads using the following means:

1.- Propagation through vulnerabilities.

Conficker.D spreads by exploiting the vulnerability called MS08-067, which is a vulnerability in the Windows server service. In order to do so, it follows the routine below:

  • It connects to the following websites in order to obtain IP addresses:
    http://www.getmyip.org
    http://getmyip.co.uk
    http://checkip.dyndns.org
  • It scans the IP addresses it has gathered in search for computers which have the port number 445 opened. This port belongs to the RPC service, which is the vulnerable component.
  • If it finds any, it downloads a copy of itself to the attacked computer.

 

2.- Propagation through system drives.

Conficker.D spreads through the system drives, mapped, shared and removable, making copies of itself in them.

Further Details  

Conficker.D is written in the programming language Visual C++. This worm is 83,456 bytes in size.