Conficker

Domesticus By Domesticus in Worms | 2,223 views
Rate it:
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading ... Loading ...

Conficker Description

Conficker, also known as W32/Conficker.worm, Win32/Conficker.A, W32.Downadup, Downadup and Kido, is a worm that exploits flaws found in Windows MS08-067 vulnerability. When Conficker infects your PC, it may prevent you from accessing security websites and disables Windows system services such as Windows Security Center, Windows Error Reporting and Windows Defender. The danger with Conficker is its ability to spread itself to other vulnerable computers through network shares. If one computer in a network is infected, then it can spread to other computers within that network. Microsoft has released a patch to fix the Windows vulnerability.

It is imperative that you download the latest released patch from Microsoft Windows Update. Also, Conficker uses random file names to prevent easy detection so it is best to use an anti-virus or anti-spyware software that will allow you to scan your entire computer instead of attempting to delete Conficker’s files manually.

Type: Worms

Automatic Detection of Conficker

 
 
 
 

Conficker Technical Report

As new Conficker details are reported by our customers and findings from our Threat Research Center, we will update this section.

The following Conficker files with its MD5s were created in the system:

File Name File Size MD5
vhoinp.dll 89088 e80c7cb77020f9326e15b3a0fb298045
malware.exe 110592 09edf06953b56ee6a8cb6823cb3b2996
malware.exe 188886 38c3d2efdd47b1034b1624490ce1f3f2

Conficker has typically the following processes in memory:

  • %Temp%\[RANDOM FILE NAME].dll
  • %All Users Application Data%\[RANDOM FILE NAME].dll
  • vhoinp.dll
  • %Program Files%\Movie Maker\[RANDOM FILE NAME].dll
  • %System%\[RANDOM FILE NAME].dll
  • %Program Files%\Internet Explorer\[RANDOM FILE NAME].dll

Conficker creates the following registry entries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHO WALLCheckedValue = dword:00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\”ImagePath” = %SystemRoot%\system32\svchost.exe -k netsvcs
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\”ServiceDll” = “[PATH OF WORM]”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost, netsvcs = %Previous data% and %Random%

Important Article Disclaimer

article disclaimer
ESG Support Center

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Furl
  • StumbleUpon
  • Technorati
  • YahooMyWeb
This entry was posted on 01/27/09 and is filed under Worms. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Conficker”

  1. Ashwani Kumar Ashwani Kumar Says:

    I m suufer to this virus, pls some advice for this virus.
    Giveing me some for this virus, i rquest u.

Leave a Comment

Note: Abusive comments are not allowed. Please do not post comments regarding technical support issues. ESG customers that have issues with SpyHunter should open a customer support ticket.

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word

Poll

How much money have you spent trying to rid your PC of spyware?
View Results

Archives

Home Sitemap RSS Feed Privacy Policy End User License Agreement Copyright 2003-2009. Enigma Software Group USA, LLC. All Rights Reserved.