Virus Encyclopedia
Welcome to the Virus Encyclopedia of Panda Security.
Conficker.C | |
Threat Level Damage Distribution |
Effects
Conficker.C is designed to spread by exploiting a vulnerability in the Windows Server Service which allows remote code execution. It is the vulnerability MS08-067.
Additionally, Conficker.C carries out the following actions:
- It checks the system date in the following web addresses:
Ask.com
Google.com
Baidu.com
Yahoo.com
W3.org
and if the system date is after January 1, 2009, it will attempt to connect to a website in order to download a malicious executable file. The website to which it connects varies depending on the system date. - It disables the following services:
- Windows update, disabling the Windows updates.
- BITS (Background Intelligent Transfer Service), which is a service to transfer Windows files.
- Error reporting service, which allows to send Microsoft information about errors occurring in the operating system, Windows components and programs. - It prevents the user and the computer from connecting to the websites that contain any of the following text strings:
ahnlab
arcabit
avast
avg
avira
avp
bit9
ca
castlecops
centralcommand
cert
clamav
comodo
computerassociates
cpsecure
defender
drweb
emsisoft
esafe
eset
etrust
ewido
fortinet
f-prot
f-secure
gdata
grisoft
hacksoft
hauri
ikarus
jotti
k7computing
kaspersky
malware
mcafee
microsoft
nai
networkassociates
nod32
norman
norton
panda
pctools
prevx
quickheal
rising
rootkit
sans
securecomputing
sophos
spamhaus
spyware
sunbelt
symantec
threatexpert
trendmicro
vet
virus
wilderssecurity
windowsupdate
As they are security related websites, the antivirus programs could not be updated and the user could not access the information of these pages. - It modifies the security policies of the user accounts. In order to access the user accounts, it uses the following weak passwords:
0123456789
00000, 0000000, 00000000, 0987654321, 11111, 111111, 1111111, 11111111, 123123, 12321, 123321, 12345, 123456, 1234567, 12345678, 123456789, 1234567890, 1234abcd, 1234qwer, 123abc, 123asd, 123qwe, 1q2w3e, 22222, 222222, 2222222, 22222222, 33333, 333333, 3333333, 33333333, 44444, 444444, 4444444, 44444444, 54321, 55555, 555555, 5555555, 55555555, 654321, 66666, 666666, 6666666, 66666666, 7654321, 77777, 777777, 7777777, 77777777, 87654321, 88888, 888888, 8888888, 88888888, 987654321, 99999, 999999, 9999999, 99999999.
A
a1b2c3, aaaaa, abc123, academia, access, account, Admin, admin, admin1, admin12, admin123, adminadmin, administrator, anything, asddsa, asdfgh, asdsa, asdzxc.
B
backup, boss123, business.
C
campus, changeme, cluster, codename, codeword, coffee, computer, controller, cookie, customer.
D
database, default, desktop, domain.
E
example, exchange, explorer.
F
files, foobar, foofoo, forever, freedom.
G
games.
H
home123.
I
ihavenopass, Internet, internet, intranet.
K
killer.
L
letitbe, letmein, Login, login, lotus, love123.
M
manager, market, money, monitor, mypass, mypassword, mypc123.
N
nimda, nobody, nopass, nopassword, nothing.
O
office, oracle, owner.
P
pass1, pass12, pass123, passwd, Password, password, password1, password12, password123, private, public, pw123.
Q
q1w2e3, qazwsx, qazwsxedc, qqqqq, qwe123, qweasd, qweasdzxc, qweewq, qwerty, qwewq.
R
root123, rootroot.
S
sample, secret, secure, security, server, shadow, share, student, super, superuser, supervisor, system.
T
temp123, temporary, temptemp, test123, testtest.
U
unknown.
W
windows, work123.
X
xxxxx.
Z
zxccxz, zxcvb, zxcvbn, zxcxz, zzzzz.
Infection strategy
Conficker.C creates a random DLL in the Windows system directory. This file is created with system, read-only and hidden attributes.
It also creates a file with random name and VMX extension in the folder RECYCLER\%random name% of all the shared and removable drives of the computer. It is copied with system, read-only and hidden attributes. Additionally, it creates an AUTORUN.INF file in these drives. This way, it is run whenever any of them is accessed.
On the other hand, it creates a scheduled task in the folder Tasks of the Windows directory in order to start its execution periodically.
Conficker.C creates the following entries in the Windows Registry:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
%random name% = rundll32.exe %letra unidad%\RECYCLER\%random name%\%random filename.vmx
By creating this entry, Conficker.C ensures that it is run whenever Windows is started. - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TcpNumConnections = 0x00FFFFFE - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\netsvcs
Image Path = %sysdir%\svchost.exe -k netsvcs - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\netsvcs\Parameters
ServiceDll = %name of the drive%\RECYCLER\%random name%\%random filename%.vmx
By creating these two entries, it is registered as a service.
Conficker.C modifies the following entries from the Windows Registry in order to make its detection more difficult:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue = 1
It changes this entry to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue = 0 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden = 1
It changes this entry to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden = 0 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden = 1
It changes this entry to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden = 0
It hides the files and folders with hidden attribute.
Means of transmission
Conficker.C spreads by exploiting the vulnerability called MS08-067, which is a vulnerability in the Windows server service. In order to do so, it sends malformed RPC requests to other computers. If any of them is vulnerable, it will download a copy of the worm to the system.
Additionally, Conficker.C also spreads through the system drives, both shared and removable, making copies of itself in them. It also creates an AUTORUN.INF file in order to be run whenever any of them is accessed.
Further Details
Conficker.C is 167,765 bytes in size.