Conficker is also know by Worm: Win32/Conficker.A & Worm:Win32/Conficker.B in Microsoft, Crypt.AVL in AVG, Trojan.Win32.Pakes.lxf for F-Secure, Trojan.Win32.Pakes.lxf in Kaspersky,It works in the recurring copy itself using a random name to the %Sysdir% folder.
It modifies the registry key to create a randomly-named service on the compramised system:
It tries to connect to multiple websites to obtain the public IP address of the infected computer. It attempts to download a malware file from the remote website. It starts a HTTP server on any random port on the infected machine to host a copy of the worm.
Once one system on the network is infected, it continuously scans the whole subnet of the infected host for vulnerable machines and executes the exploit. If it gets success, then that computer will connect again to the http server and download a copy of the worm. Afterward variants of w32/Conficker.worm are using scheduled tasks and Autorun.inf file to duplicate on to non vulnerable systems or to re-infect previously infected systems even if they are cleaned.
You can check whether your system is infected or not?
You may find that you are not only unable to connect to Microsoft website, but also Anti-virus websites are not working.
Infected system Users are locked out of directory, access to admin shares get denied, scheduled tasks gets created, access to security related web sites is blocked.
Conficker removal tool from Microsoft
Remedy for this issue is to patch and reboot the infected system, If you detect this worm on your system, you should reboot to clean memory correctly. May be you will need to reboot more that one time. Scheduled tasks are used to be created on the system to re-activate the worm. Autorun.inf files re-activate the worm.
It modifies the registry key to create a randomly-named service on the compramised system:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\"ServiceDll" = "Path to worm"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs
It tries to connect to multiple websites to obtain the public IP address of the infected computer. It attempts to download a malware file from the remote website. It starts a HTTP server on any random port on the infected machine to host a copy of the worm.
Once one system on the network is infected, it continuously scans the whole subnet of the infected host for vulnerable machines and executes the exploit. If it gets success, then that computer will connect again to the http server and download a copy of the worm. Afterward variants of w32/Conficker.worm are using scheduled tasks and Autorun.inf file to duplicate on to non vulnerable systems or to re-infect previously infected systems even if they are cleaned.
You can check whether your system is infected or not?
You may find that you are not only unable to connect to Microsoft website, but also Anti-virus websites are not working.
Infected system Users are locked out of directory, access to admin shares get denied, scheduled tasks gets created, access to security related web sites is blocked.
Conficker removal tool from Microsoft
Remedy for this issue is to patch and reboot the infected system, If you detect this worm on your system, you should reboot to clean memory correctly. May be you will need to reboot more that one time. Scheduled tasks are used to be created on the system to re-activate the worm. Autorun.inf files re-activate the worm.
3 comments:
that was a damn hard to find and annoying bug. with this info solved, thanks
the link is not working, redirecting to the parked domain page.
will reformatting the computer work?
Post a Comment