Hello!

You’re about to visit our web page in English
Would you like to continue?

Yes, I want to visit the web page in English No, I want to visit the web page in

If this is not what you’re looking for,

Visit our Welcome Page!

My Account

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Conficker.C

 
Threat LevelHigh threat
DamageHigh
DistributionModerately widespread

At a glance

Common name:Conficker.C
Technical name:W32/Conficker.C.worm
Threat level:High
Alias:WORM_DOWNAD.AD,W32.Downadup,Net-Worm.Win32.Kido.cn,
Type:Worm
Effects:  

It exploits the vulnerability MS08-067 in the Windows Server Service in order to spread itself. It also spreads through shared and removable drives. It reduces considerably the protection level of the computer, modifies the security policies of the user accounts and attempts to download another type of malware to the affected computer.

Affected platforms:

Windows 2003/XP/2000/NT/ME/98/95

First detected on:Dec. 31, 2008
Detection updated on:June 18, 2010
StatisticsNo
Proactive protection:
Yes, using TruPrevent Technologies

Brief Description 

    

Conficker.C is a worm which exploits a vulnerability in the Windows Server Service which allows remote code execution. It is the vulnerability MS08-067.

If the system date is after January 1, 2009, it will try to connect to a certain website in order to download and run another type of malware in the affected computer.

On the one hand, it reduces considerably the protection level of the computer, as it prevents the user and the computer from connecting to many websites related to antivirus companies.

On the other, it uses weak passwords to access the user accounts in order to modify their security policies.

Conficker.C spreads by exploiting the vulnerability MS08-067. In order to do so, it sends malformed RPC requests to other computers in which it attempts to enter a copy of itself. Additionally, it spreads through shared and removable drives.

 

It is highly recommended to download and apply the security patch for the vulnerability MS08-067. Access the web page for downloading the patch.

Visible Symptoms 

    

Conficker.C is difficult to recognize, as it does not display any messages or warnings that indicate it has reached the computer.

>

>

>

Tech details

Effects

Conficker.C is designed to spread by exploiting a vulnerability in the Windows Server Service which allows remote code execution. It is the vulnerability MS08-067.

Additionally, Conficker.C carries out the following actions:

  • It checks the system date in the following web addresses:
    Ask.com
    Google.com
    Baidu.com
    Yahoo.com
    W3.org
    and if the system date is after January 1, 2009, it will attempt to connect to a website in order to download a malicious executable file. The website to which it connects varies depending on the system date.
  • It disables the following services:
    - Windows update, disabling the Windows updates.
    - BITS (Background Intelligent Transfer Service), which is a service to transfer Windows files.
    - Error reporting service, which allows to send Microsoft information about errors occurring in the operating system, Windows components and programs.
  • It prevents the user and the computer from connecting to the websites that contain any of the following text strings:
    ahnlab
    arcabit
    avast
    avg
    avira
    avp
    bit9
    ca
    castlecops
    centralcommand
    cert
    clamav
    comodo
    computerassociates
    cpsecure
    defender
    drweb
    emsisoft
    esafe
    eset
    etrust
    ewido
    fortinet
    f-prot
    f-secure
    gdata
    grisoft
    hacksoft
    hauri
    ikarus
    jotti
    k7computing
    kaspersky
    malware
    mcafee
    microsoft
    nai
    networkassociates
    nod32
    norman
    norton
    panda
    pctools
    prevx
    quickheal
    rising
    rootkit
    sans
    securecomputing
    sophos
    spamhaus
    spyware
    sunbelt
    symantec
    threatexpert
    trendmicro
    vet
    virus
    wilderssecurity
    windowsupdate
    As they are security related websites, the antivirus programs could not be updated and the user could not access the information of these pages.
  • It modifies the security policies of the user accounts. In order to access the user accounts, it uses the following weak passwords:
    0123456789
    00000, 0000000, 00000000, 0987654321, 11111, 111111, 1111111, 11111111, 123123, 12321, 123321, 12345, 123456, 1234567, 12345678, 123456789, 1234567890, 1234abcd, 1234qwer, 123abc, 123asd, 123qwe, 1q2w3e, 22222, 222222, 2222222, 22222222, 33333, 333333, 3333333, 33333333, 44444, 444444, 4444444, 44444444, 54321, 55555, 555555, 5555555, 55555555, 654321, 66666, 666666, 6666666, 66666666, 7654321, 77777, 777777, 7777777, 77777777, 87654321, 88888, 888888, 8888888, 88888888, 987654321, 99999, 999999, 9999999, 99999999.
    A
    a1b2c3, aaaaa, abc123, academia, access, account, Admin, admin, admin1, admin12, admin123, adminadmin, administrator, anything, asddsa, asdfgh, asdsa, asdzxc.

    B
    backup, boss123, business.

    C
    campus, changeme, cluster, codename, codeword, coffee, computer, controller, cookie, customer.

    D
    database, default, desktop, domain.

    E
    example, exchange, explorer.

    F
    files, foobar, foofoo, forever, freedom.

    G
    games.

    H
    home123.

    I
    ihavenopass, Internet, internet, intranet.

    K
    killer.

    L
    letitbe, letmein, Login, login, lotus, love123.

    M
    manager, market, money, monitor, mypass, mypassword, mypc123.

    N
    nimda, nobody, nopass, nopassword, nothing.

    O
    office, oracle, owner.

    P
    pass1, pass12, pass123, passwd, Password, password, password1, password12, password123, private, public, pw123.

    Q
    q1w2e3, qazwsx, qazwsxedc, qqqqq, qwe123, qweasd, qweasdzxc, qweewq, qwerty, qwewq.

    R
    root123, rootroot.

    S
    sample, secret, secure, security, server, shadow, share, student, super, superuser, supervisor, system.

    T
    temp123, temporary, temptemp, test123, testtest.

    U
    unknown.

    W
    windows, work123.

    X
    xxxxx.

    Z
    zxccxz, zxcvb, zxcvbn, zxcxz, zzzzz.

Infection strategy 

Conficker.C creates a random DLL in the Windows system directory. This file is created with system, read-only and hidden attributes.

It also creates a file with random name and VMX extension in the folder RECYCLER\%random name% of all the shared and removable drives of the computer. It is copied with system, read-only and hidden attributes. Additionally, it creates an AUTORUN.INF file in these drives. This way, it is run whenever any of them is accessed.

On the other hand, it creates a scheduled task in the folder Tasks of the Windows directory in order to start its execution periodically.

 

Conficker.C creates the following entries in the Windows Registry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    %random name% = rundll32.exe %letra unidad%\RECYCLER\%random name%\%random filename.vmx
    By creating this entry, Conficker.C ensures that it is run whenever Windows is started.
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    TcpNumConnections = 0x00FFFFFE
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\netsvcs
    Image Path = %sysdir%\svchost.exe -k netsvcs
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\netsvcs\Parameters
    ServiceDll = %name of the drive%\RECYCLER\%random name%\%random filename%.vmx
    By creating these two entries, it is registered as a service.

 

Conficker.C modifies the following entries from the Windows Registry in order to make its detection more difficult:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
    CheckedValue = 1
    It changes this entry to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
    CheckedValue = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    SuperHidden = 1
    It changes this entry to:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    SuperHidden = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    Hidden = 1
    It changes this entry to:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    Hidden = 0
    It hides the files and folders with hidden attribute.

Means of transmission 

Conficker.C spreads by exploiting the vulnerability called MS08-067, which is a vulnerability in the Windows server service. In order to do so, it sends malformed RPC requests to other computers. If any of them is vulnerable, it will download a copy of the worm to the system.

Additionally, Conficker.C also spreads through the system drives, both shared and removable, making copies of itself in them. It also creates an AUTORUN.INF file in order to be run whenever any of them is accessed.

Further Details  

Conficker.C is 167,765 bytes in size.

Solution

See solution

Anytech logo

Call us 24/7 and get a FREE DIAGNOSIS

+1 (323) 395 2630

logo

Panda Security, a WatchGuard Technologies brand, offers the most advanced protection for your family and business. Its Panda Dome range provides maximum security against viruses, ransomware and computer espionage, and is compatible with Windows, Mac, Android and iOS.

    About Panda
    Company Info Reviews Awards and certifications Panda Worldwide Blog Security Info
    Home Users
    Panda Dome portfolio Customer Login Page Online Antivirus Downloads Free Antivirus Free VPN Offers
    Business - WatchGuard Technologies
    WatchGuard Endpoint Security Network Security Authpoint MFA Secure Wi-Fi Partners
    Visa Master Card Maestro Pay Pal Apple Pay
    Bank Transfer iDeal Klarna
    Privacy Policy Legal Notice Cookie Policy Return Policy