Conficker - a virus/work

You may have heard in the past days of a virus that has many a sysadmin wetting themselves in panic and with good cause. Some say the hackers have yet to activate the payload of the conficker virus which is spreading through low security networks, memory sticks, and PCs without current security updates.
Some 9.5 million pc's are suspected to be affected and as F-Secure's chief research officer, Mikko Hypponen said:

"Total infections appear to be peaking. That said, a full count is
hard, because we also don't know how many machines are being cleaned.
But we estimate there are still more than 9m infected PCs world wide.

It is scary thinking about how much control they [a hacker]
could have over all these computers. They would have access to millions
of machines with full administrator rights.

But they haven't done that yet, maybe they're scared. That's
good news. But there is also the scenario that someone else figures out
how to activate this worm. That is a worrying prospect." 

Below is information regarding the virus from Avira the free anti virus software site. Microsoft has done a good job of releasing a patch to home computers that have chosen to accept the automatic update capabiliy of windows, the real problem may be with corporate sysadmins who have yet to instal the appropriate patches. Of course, it is said that as the virus is not fully understood, the patches may not do much good. Let's wait and see. I guess this is a good time to be using a Linux or a mac, huh!?

Virus: Worm/Conficker Date discovered: 14/01/2009 Type: Worm In the wild: Yes Reported Infections: Medium Distribution Potential: Medium Damage Potential: Medium Static file: No File size: ~160.000 Bytes IVDF version: 7.01.01.115 - Wed, 14 Jan 2009 08:44 (GMT+1)  General  Methods of propagation:    • Local network    • Mapped network drives Aliases:    •  Symantec: W32.Downadup.B    •  Kaspersky: Net-Worm.Win32.Kido.fw    •  F-Secure: Worm:W32/Downadup.gen!A    •  Sophos: Mal/Conficker-A    •  Panda: Trj/Downloader.MDW    •  Grisoft: I-Worm/Generic.CJY    •  Eset: a variant of Win32/Conficker.AE worm    •  Bitdefender: Win32.Worm.Downadup.Gen Similar detection:    •  Worm/Kido Platforms / OS:    • Windows 95    • Windows 98    • Windows 98 SE    • Windows NT    • Windows ME    • Windows 2000    • Windows XP    • Windows 2003 Side effects:    • Registry modification    • Makes use of software vulnerability    • Third party control  Files  It copies itself to the following locations:    • %all shared folders% \RECYCLER\S-%number%\%random character string%.vmx    • %ProgramFiles%\Internet Explorer\%random character string%.dll    • %ProgramFiles%\Movie Maker\%random character string%.dll    • %System%\%random character string%.dll    • %Temp%\%random character string%.dll    • %ALLUSERSPROFILE%\Application Data\%random character string%.dll The following file is created: – %all shared folders%\autorun.inf This is a non malicious text file with the following content:    • %random comments%      shellexecute rundll32.exe %paths and filenames of malware copies%,%random character string%      %random comments%  Registry  The following registry keys are added in order to load the service after reboot: – HKLM\SYSTEM\CurrentControlSet\Services\%random words%\    Parameters\    • ServiceDll" = "%paths and filenames of malware copies%" – HKLM\SYSTEM\CurrentControlSet\Services\%random words%\    • "ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs      "Type" = "4"      "Start" = "4"      "ErrorControl" = "4" The following registry keys are changed: – [HKLM\SYSTEM\CurrentControlSet\Services\wscsvc]    Old value:    • "Start"=dword:00000003    New value:    • "Start"=dword:00000004 – [HKLM\SYSTEM\CurrentControlSet\Services\wuauserv]    Old value:    • "Start"=dword:00000003    New value:    • "Start"=dword:00000004 – [HKLM\SYSTEM\CurrentControlSet\Services\BITS]    Old value:    • "Start"=dword:00000003    New value:    • "Start"=dword:00000004 – [HKLM\SYSTEM\CurrentControlSet\Services\ERSvc]    Old value:    • "Start"=dword:00000003    New value:    • "Start"=dword:00000004 – HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced    New value:    • "Hidden"=dword:00000002      "ShowCompColor"=dword:00000001      "HideFileExt"=dword:00000000      "DontPrettyPath"=dword:00000000      "ShowInfoTip"=dword:00000001      "HideIcons"=dword:00000000      "MapNetDrvBtn"=dword:00000000      "WebView"=dword:00000000      "Filter"=dword:00000000      "SuperHidden"=dword:00000000      "SeparateProcess"=dword:00000000  Network Infection  In order to ensure its propagation the malware attemps to connect to other machines as described below. It uses the following login information in order to gain access to the remote machine: – The following list of passwords:    • 000; 0000; 00000; 0000000; 00000000; 0987654321; 111; 1111; 11111;       111111; 1111111; 11111111; 123; 123123; 12321; 123321; 1234; 12345;       123456; 1234567; 12345678; 123456789; 1234567890; 1234abcd; 1234qwer;       123abc; 123asd; 123qwe; 1q2w3e; 222; 2222; 22222; 222222; 2222222;       22222222; 321; 333; 3333; 33333; 333333; 3333333; 33333333; 4321; 444;       4444; 44444; 444444; 4444444; 44444444; 54321; 555; 5555; 55555;       555555; 5555555; 55555555; 654321; 666; 6666; 66666; 666666; 6666666;       66666666; 7654321; 777; 7777; 77777; 777777; 7777777; 77777777;       87654321; 888; 8888; 88888; 888888; 8888888; 88888888; 987654321; 999;       9999; 99999; 999999; 9999999; 99999999; a1b2c3; aaa; aaaa; aaaaa;       abc123; academia; access; account; Admin; admin; admin1; admin12;       admin123; adminadmin; administrator; anything; asddsa; asdfgh; asdsa;       asdzxc; backup; boss123; business; campus; changeme; cluster;       codename; codeword; coffee; computer; controller; cookie; customer;       database; default; desktop; domain; example; exchange; explorer; file;       files; foo; foobar; foofoo; forever; freedom; fuck; games; home;       home123; ihavenopass; Internet; internet; intranet; job; killer;       letitbe; letmein; login; Login; lotus; love123; manager; market;       money; monitor; mypass; mypassword; mypc123; nimda; nobody; nopass;       nopassword; nothing; office; oracle; owner; pass; pass1; pass12;       pass123; passwd; password; Password; password1; password12;       password123; private; public; pw123; q1w2e3; qazwsx; qazwsxedc; qqq;       qqqq; qqqqq; qwe123; qweasd; qweasdzxc; qweewq; qwerty; qwewq; root;       root123; rootroot; sample; secret; secure; security; server; shadow;       share; sql; student; super; superuser; supervisor; system; temp;       temp123; temporary; temptemp; test; test123; testtest; unknown; web;       windows; work; work123; xxx; xxxx; xxxxx; zxccxz; zxcvb; zxcvbn;       zxcxz; zzz; zzzz; zzzzz IP address generation: It creates random IP addresses while it keeps the first three octets from its own address. Afterwards it tries to establish a connection with the created addresses. Infection process: It makes the compromised machine download the malware from the infected source computer. The downloaded file is stored on the compromised machine as: .\RECYCLER\S-%number%\%random character string%.vmx  Hosts  – Access to the following domains is effectively blocked:    • ahnlab; arcabit; avast; avg.; avira; avp.; bit9.; ca.; castlecops;       centralcommand; cert.; clamav; comodo; computerassociates; cpsecure;       defender; drweb; emsisoft; esafe; eset; etrust; ewido; f-prot;       f-secure; fortinet; gdata; grisoft; hacksoft; hauri; ikarus; jotti;       k7computing; kaspersky; malware; mcafee; microsoft; nai.;       networkassociates; nod32; norman; norton; panda; pctools; prevx;       quickheal; rising; rootkit; sans.; securecomputing; sophos; spamhaus;       spyware; sunbelt; symantec; threatexpert; trendmicro; vet.; virus;       wilderssecurity; windowsupdate  Miscellaneous  Internet connection: In order to check for its internet connection the following DNS servers are contacted:    • http://www.getmyip.org    • http://www.whatsmyipaddress.com    • http://getmyip.co.uk    • http://checkip.dyndns.org Checks for an internet connection by contacting the following web sites:    • baidu.com; google.com; yahoo.com; msn.com; ask.com; w3.org; aol.com;       cnn.com; ebay.com; msn.com; myspace.com File patching: In order to increase the number of maximum connections it has the capability to modify the tcpip.sys. It may result in a corruption of that file and break network connectivity.  Rootkit Technology  It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user. Method used: Hooks the following API functions:    • DNS_Query_A    • DNS_Query_UTF8    • DNS_Query_W    • Query_Main    • sendto  File details  Programming language: The malware program was written in MS Visual C++. Runtime packer: In order to aggravate detection and reduce size of the file it is packed with a runtime packer.