Conficker.C is designed to spread by exploiting a vulnerability in the Windows Server Service which allows remote code execution. It is the vulnerability MS08-067. Additionally, Conficker.C carries out the following actions: - It checks the system date in the following web addresses:
Ask.com Google.com Baidu.com Yahoo.com W3.org and if the system date is after January 1, 2009, it will attempt to connect to a website in order to download a malicious executable file. The website to which it connects varies depending on the system date. - It disables the following services:
- Windows update, disabling the Windows updates. - BITS (Background Intelligent Transfer Service), which is a service to transfer Windows files. - Error reporting service, which allows to send Microsoft information about errors occurring in the operating system, Windows components and programs. - It prevents the user and the computer from connecting to the websites that contain any of the following text strings:
ahnlab arcabit avast avg avira avp bit9 ca castlecops centralcommand cert clamav comodo computerassociates cpsecure defender drweb emsisoft esafe eset etrust ewido fortinet f-prot f-secure gdata grisoft hacksoft hauri ikarus jotti k7computing kaspersky malware mcafee microsoft nai networkassociates nod32 norman norton panda pctools prevx quickheal rising rootkit sans securecomputing sophos spamhaus spyware sunbelt symantec threatexpert trendmicro vet virus wilderssecurity windowsupdate As they are security related websites, the antivirus programs could not be updated and the user could not access the information of these pages. - It modifies the security policies of the user accounts. In order to access the user accounts, it uses the following weak passwords:
0123456789 00000, 0000000, 00000000, 0987654321, 11111, 111111, 1111111, 11111111, 123123, 12321, 123321, 12345, 123456, 1234567, 12345678, 123456789, 1234567890, 1234abcd, 1234qwer, 123abc, 123asd, 123qwe, 1q2w3e, 22222, 222222, 2222222, 22222222, 33333, 333333, 3333333, 33333333, 44444, 444444, 4444444, 44444444, 54321, 55555, 555555, 5555555, 55555555, 654321, 66666, 666666, 6666666, 66666666, 7654321, 77777, 777777, 7777777, 77777777, 87654321, 88888, 888888, 8888888, 88888888, 987654321, 99999, 999999, 9999999, 99999999. A a1b2c3, aaaaa, abc123, academia, access, account, Admin, admin, admin1, admin12, admin123, adminadmin, administrator, anything, asddsa, asdfgh, asdsa, asdzxc.
B backup, boss123, business.
C campus, changeme, cluster, codename, codeword, coffee, computer, controller, cookie, customer.
D database, default, desktop, domain.
E example, exchange, explorer.
F files, foobar, foofoo, forever, freedom.
G games.
H home123.
I ihavenopass, Internet, internet, intranet.
K killer.
L letitbe, letmein, Login, login, lotus, love123.
M manager, market, money, monitor, mypass, mypassword, mypc123.
N nimda, nobody, nopass, nopassword, nothing.
O office, oracle, owner.
P pass1, pass12, pass123, passwd, Password, password, password1, password12, password123, private, public, pw123.
Q q1w2e3, qazwsx, qazwsxedc, qqqqq, qwe123, qweasd, qweasdzxc, qweewq, qwerty, qwewq.
R root123, rootroot.
S sample, secret, secure, security, server, shadow, share, student, super, superuser, supervisor, system.
T temp123, temporary, temptemp, test123, testtest.
U unknown.
W windows, work123.
X xxxxx.
Z zxccxz, zxcvb, zxcvbn, zxcxz, zzzzz.
|