© 2008 System-Protector.com All Rights Reserved.
Bit Defender | Kaspersky | ESET NOD32 | AVG Antivirus | F-Secure Antivirus | Trend Micro | McAfee VirusScan | Norton antivirus | CA Antivirus | Norman Antivirus | G DATA Antivirus | Panda Antivirus | AVAST Antivirus | F-Prot antivirus | PC Tools Antivirus | Webroot Antivirus | ViRobot
Latest in trend:
» viruses
W32/Conficker.worm
How to remove W32/Conficker.worm?
What is W32/Conficker.worm?
Discovered on 24th November 2008, W32/Conficker.worm is a worm that exploits the MS08-067(Microsoft Windows Server Service Vulnerability (958644)) vulnerability in order to spread.
W32/Conficker.worm decides how it will load itself as a Windows Service depending on whether the compromised version of Windows is Windows 2000. Once loaded in the service space, the worm attempts to download files from the Internet–specifically, further malware from trafficconverter.biz and data files from maxmind.com.
This malware mostly spreads within corporations but also was reported by several hundred home users. It opens a random port between port 1024 and 10000 and acts like a web server. It propagates to random computers on the network by exploiting MS08-067.
Once the remote computer is exploited, that computer will download a copy of the worm via HTTP using the random port opened by the worm. The worm often uses a .JPG extension when copied over and then it is saved to the local system folder as a random named dll.
How does it affect your PC?
When executed, Win32/Conficker.A creates a copy of itself in the %System% directory with a random filename. It then checks whether the compromised machine is using the Windows 2000 operating system.
If so, the worm injects its code in the "services.exe" process.
If the operating system is not Windows 2000, the worm creates a service with the following characteristics:
Service name: netsvcs
Path to executable: %System%\svchost.exe -k netsvcsand adds the following registry entry:
HKLM\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\ServiceDll =
"%System%\<worm executable filename>.dll"
{Note: %System% is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95, 98 and ME is C:\Windows\System; for XP and Vista is C:\Windows\System32.}
It attempts to connect to the following websites to obtain the public IP address of the affected computer.
http://www.getmyip.org
http://getmyip.co.uk
http://checkip.dyndns.org
It also attempts to download malware file from the remote website: (Rouge Russian site is up but not serving file anymore)
http://trafficconverter.biz/[Removed]antispyware/[Removed].exe
http://www.maxmind.com/download/geoip/[...]/GeoIP.dat.gz
It starts a HTTP server on a random port on the infected machine to host a copy of the worm. Scans the network for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.
Creates HTTP Server
The worm opens a random port between 1024 and 10000 and acts like a web server (HTTP server). If the remote machine is exploited successfully, the victim will connect back to the http server and download a worm copy.
Resets System Restore Point
The worm may call an API function to reset the computer's system restore point, potentially defeating recovery using system restore.
Downloads Files
If the date is after November 25, 2008, this worm will build a URL in the following format and attempt to download a file from it:
<random ip?>/search?q=%d&aq=7
If the date is after December 1, 2008 Win32/Conficker.A will attempt to download a file 'loadadv.exe' from the domain 'trafficconverter.biz'.
http://trafficconverter.biz/<censored>/loadadv.exe
Conficker also downloads a reference file from the following URL:
http://www.maxmind.com/<censored>/GeoIP.dat.gz
How to remove W32/Conficker.worm?
Users infected by W32/Conficker.worm should perform an On Demand Scan to remove remnants of the worm in memory using the latest DATs. Upon detection of W32/Conficker remove and reboot, the W32/Conficker.worm malware components will be removed. Inspite of various trials if it is not removed try disabling System Restore and perform the scan. Once a scan has shown a clean machine then you can re-enable System Restore.
More on how to remove Conficker worm from your PC.