Security Information and Review

Collection of security information and review

Conficker Worm and Windows vulnerabilty

Author : Admin

The Conficker worm is a computer worm that can infect your computer and spread itself to other computers across a network automatically, without human interaction. Conficker is effecting and targeting the Microsoft Windows Operating System that it’s most sophisticated capability. Conficker, also known as Downup, Downadup and Kido. The first variant of Conficker propagated through the internet by expoliting a vulnerabity in a network service [ MS08-067 ]. This list of Microsoft Windows Operating system that has been affected by RPC DCOM vulnerability :

  1. MS Windows 2000,
  2. MS Windows XP,
  3. MS Windows Vista,
  4. MS Windows Server 2003,
  5. MS Windows Server 2008.

Microsoft Windows 7 beta was not publicly available until Januari 2009 because it’s may have been affected by this vulnerability.


Although almost all of the malware technique used by Conficker are well known but Conficker combined use of many variant and unusually technique that machine was infected by Conficker very difficult to clean and eradicate.


Conficker worm has five variants are known and have been dubbed Conficker A, B, C, D and E. See detail and chronologist five variants of the Conficker worm :


First Variants of Conficker Worm

First variant of the Conficker Worm was discovered in early November 2009 that exploiting a vulnerability in a network service [ MS08-067 ]. This variant have capability to update to variant B, C and D of the Conficker Worm.


Second Variants of Conficker Worm

Second variant of the Conficker Worm was discovered in December 2008, also knows as Conficker B. It’s exploiting a vulnerability in a network service, dictionary attack on ADMIS$ shares and creates DLL based autorun trojan on attached removable drives. Conficker B might spread through file sharing and via removable drives, such as USB drives (also known as thumb drives). The worm adds a file to the removable drive so that when the drive is used, the AutoPlay dialog box will show one additional option. Then uniques of this variant is capability to self defense with :

  1. Disable Microsoft Windows Auto Update.
  2. Blocks DNS Lookup.

As in the previous variant, Conficker B also has the ability to update to Conficker C or D.


Third Varaints of Conficker Worm

Third variant of the Conficker Worm was discovered in Februari 2009, also known as Conficker C. Conficker C has capability similar with the previous variant that how to exploited security and defense. The differences with the previous variant has the ability to creates a named pipe, over which it can push URLs for downloadable payloads to other infected hosts on a local area network.


Fourth Variants of Conficker Worm
The next variant was discovered in March 2009, also known as Conficker D. it has a defense capability that dramatically increased more than Conficker C, B or A. Variant D of the worm resets System Restore points, disables a number of system services, disable safe mode and scans for and terminates processes with names of anti-malware, patch or diagnostic utilities at one-second intervals. Variants D create an ad-hoc peer-to-peer network to push and pull payloads over the wider Internet. Conficker D has been observed to user larges-scale UDP scanning to build up a peer list of infected hosts and transfer of signed payloads via TCP. To make analysis more difficult, port numbers for connections are hashed from IP Address of each peer. The end action of this variant is updates self to Conficker E.


Fifth Variants of Conficker Worm

Fifth Variant of Conficker Worm was discovered in April 2009, also known as Conficker E. Variant E of the worm was the first to use its base of infected computers for an ulterior purpose It downloads and installs, from a web server hosted in Ukraine, two additional payloads :

Waledac, a spambot otherwise known to propagate through e-mail attachments. Waledac operates similarly to the 2008 Storm worm and is believed to be written by the same authors.
SpyProtect 2009, a scareware anti-virus product.


The end action of this variant is removes self on 3 May 2009 ( does not remove accompanying copy of W32.Downadup.C / Conficker C ).


Symptoms of machine was infected by Conficker :

  1. Account lockout policies being reset automatically.
  2. Certain Microsoft Windows Service such as Automatic Updates, BITS, Windows Defender and Windows Error Reporting disable.
  3. Domain Controllers responding slowly to client requests.
  4. Congestion on local area networks.
  5. Web sites related to antivirus software or the Windows Update service becoming inaccessible.
  6. User account locked out.


If your machine has symptoms as above, see step by step to remove and clean machine from Conficker at this site.

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • Netvouz
  • DZone
  • ThisNext
  • MisterWong
  • Wists
  • Technorati
  • YahooMyWeb
  • Slashdot
  • StumbleUpon
Categories: Virus Security - Windows Security
If you like this posts, please leave messages / comments.