F-Secure
Tools
Worm:W32/Downadup.AL
| Name : | Worm:W32/Downadup.AL |
| Detection Names : |
Worm:W32/Downadup.AL Net-Worm.Win32.Kido |
| Aliases : |
Worm:Win32/Conficker (Microsoft) Mal/Conficker (Sophos) W32/Conficker.worm.gen (Symantec) |
| Category: | Malware |
| Type: | Worm |
| Platform: | W32 |
Summary
A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.
Disinfection
Removal Tools
F-Downadup
Specific tool with heuristics for Downadup worm variants:
FSMRT
Non-specific detection tool, larger file size:
Note: these are command line tools, please read the text file included in the ZIP for additional details.
Updates
These are beta tools. Use the following FTP location to determine the file dates:
Scanning Options
Downadup makes use of random extension names in order to avoid detection.
During disinfection scanning options should be set to:
Microsoft Help and Support
Knowledge Base Article 962007 provides numerous details for manual disinfection of Conficker.B (alias Downadup).
F-Downadup
Specific tool with heuristics for Downadup worm variants:
FSMRT
Non-specific detection tool, larger file size:
Note: these are command line tools, please read the text file included in the ZIP for additional details.
Updates
These are beta tools. Use the following FTP location to determine the file dates:
Scanning Options
Downadup makes use of random extension names in order to avoid detection.
During disinfection scanning options should be set to:
• Scan all files
Microsoft Help and Support
Knowledge Base Article 962007 provides numerous details for manual disinfection of Conficker.B (alias Downadup).
Additional Details
Upon execution, the Downadup (Kido, Conflicker) worm creates copies of itself in:
* Note: [Random] represents a randomly generated name.
Each file's timestamp is amended to match the timestamp of the %System%\kernel32.dll file. The worm then creates autorun entries in the registry, which ensure that a copy of the worm is executed at every system startup.
The worm may create the following files on removable and mapped drives:
See the description for Worm:W32/Downaduprun.A for additional details on the autorun.inf file.
And attach itself to the following processes:
The worm disables a number of system features, in order to facilitate its activities. It disables the following Windows services:
In addition to disabling these services, it checks to see whether it is running on a Windows Vista machine; if so, it also runs the following command to disable Windows Vista TCP/IP auto-tuning:
The worm also hooks the following API's in order to block access when the user attempts to access a long list of domains:
If the user attempts to access the following, primarily security-related domains, their access is blocked:
Propagation
To propagate itself, the worm first modifies the following registry entry so that it can spread more rapidly across a network:
The worm uses this driver to speed up its propagation capability, as it modifies the number of half-open connections to a 0x10000000(268435456) in memory, a function implemented in %System%\drivers\tcpip.sys.
It checks for a suitable computer around the network using NetServerEnum, then attempts to log on to any found computer with one of the following login credentials:
If the worm successfully accesses the network share, it will create a copy of itself to the "ADMIN$" share as the following:
It then creates a scheduled daily job on the remote server, in order to execute the following command:
The worm is also able to propagate by downloading a copy of itself onto other machines vulnerable to an exploit of the critical MS08-067 vulnerability. To do so, the worm first connects to the following sites to retrieve the system's %ExternalIPAddress%:
Next, the worm creates a HTTP server on a random port:
Creating the HTTP server allows the malware to send out specially crafted packets (exploit code) from the infected machine to other machines. If the exploit is successful, the targeted machine is forced to download a copy of the malware from the first infected machine.
The downloaded malware has one of the following extensions:
It then hooks NetpwPathCanonicalize API in order to avoid exploiting the vulnerability further.
Downloads
Downadup is capable of downloading files onto the infected system. First, the worm connects to one of the following domains to obtain the current system date:
The obtained system date is used to generate a list of domains where the malware can download additional files.
It then verifies whether the current date is at least 1 January 2009. If so, it downloads and execute files from:
Note: %PredictableDomainsIPAddress% is the domain generated based on the system date.
The downloaded file has the format:
Registry
The worm deletes a number of keys from the registry, in order to deactivate the Security Center Notifications and prevent Windows Defender from starting. It also bypasses the Windows Firewall by creating the following registry entry, so that the system can download a copy of the worm:
To hide its presence in the system, the worm deletes any System Restore points created by the user, then modifies the following registry keys:
During infection, the worm may create a temporary (TMP) file in the the System or Temp folders. The TMP file created is registered as a service kernel driver using the following registry entry:
Once the key is created, the file %MalwarePath%\[random].tmp is deleted.
An interesting change the worm makes to the registry involves the following registry entries:
In these entries, %ServiceName% represents a two word combination taken from the following list:
• %System%\[Random].dll
• %Program Files%\Internet Explorer\[Random].dll
• %Program Files%\Movie Maker\[Random].dll
• %All Users Application Data%\[Random].dll
• %Temp%\[Random].dll
• %System%\[Random].tmp
• %Temp%\[Random].tmp
* Note: [Random] represents a randomly generated name.
Each file's timestamp is amended to match the timestamp of the %System%\kernel32.dll file. The worm then creates autorun entries in the registry, which ensure that a copy of the worm is executed at every system startup.
The worm may create the following files on removable and mapped drives:
• %DriveLetter%\RECYCLER\S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d\[...].[3 random characters]
• %DriveLetter%\autorun.inf
See the description for Worm:W32/Downaduprun.A for additional details on the autorun.inf file.
And attach itself to the following processes:
• svchost.exe
• explorer.exe
• services.exe
• Windows Automatic Update Service (wuauserv)
• Background Intelligent Transfer Service (BITS)
• Windows Security Center Service (wscsvc)
• Windows Defender Service (WinDefend)
• Windows Error Reporting Service (ERSvc)
• Windows Error Reporting Service (WerSvc)
In addition to disabling these services, it checks to see whether it is running on a Windows Vista machine; if so, it also runs the following command to disable Windows Vista TCP/IP auto-tuning:
• netsh interface tcp set global autotuning=disabled
The worm also hooks the following API's in order to block access when the user attempts to access a long list of domains:
• DNS_Query_A
• DNS_Query_UTF8
• DNS_Query_W
• Query_Main
• sendto
If the user attempts to access the following, primarily security-related domains, their access is blocked:
• virus
• spyware
• malware
• rootkit
• defender
• microsoft
• symantec
• norton
• mcafee
• trendmicro
• sophos
• panda
• etrust
• networkassociates
• computerassociates
• f-secure
• kaspersky
• jotti
• f-prot
• nod32
• eset
• grisoft
• drweb
• centralcommand
• ahnlab
• esafe
• avast
• avira
• quickheal
• comodo
• clamav
• ewido
• fortinet
• gdata
• hacksoft
• hauri
• ikarus
• k7computing
• norman
• pctools
• prevx
• rising
• securecomputing
• sunbelt
• emsisoft
• arcabit
• cpsecure
• spamhaus
• castlecops
• threatexpert
• wilderssecurity
• windowsupdate
• nai
• ca
• avp
• avg
• vet
• bit9
• sans
• cert
To propagate itself, the worm first modifies the following registry entry so that it can spread more rapidly across a network:
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"TcpNumConnections" = dword:0x00FFFFFE
"TcpNumConnections" = dword:0x00FFFFFE
It checks for a suitable computer around the network using NetServerEnum, then attempts to log on to any found computer with one of the following login credentials:
• Using the existing credentials of the infected user account; if this account does not have admin privileges on the target machine, this operation will not succeed.
• Acquiring the list of usernames from the targeted computer using NetUserEnum API, then attempting to log on to the targeted computer using the existing user accounts and one of the following passwords:
• [username]
• [username][username]
• [reverse_of_username]
• 00000
• 0000000
• 00000000
• 0987654321
• 11111
• 111111
• 1111111
• 11111111
• 123123
• 12321
• 123321
• 12345
• 123456
• 1234567
• 12345678
• 123456789
• 1234567890
• 1234abcd
• 1234qwer
• 123abc
• 123asd
• 123qwe
• 1q2w3e
• 22222
• 222222
• 2222222
• 22222222
• 33333
• 333333
• 3333333
• 33333333
• 44444
• 444444
• 4444444
• 44444444
• 54321
• 55555
• 555555
• 5555555
• 55555555
• 654321
• 66666
• 666666
• 6666666
• 66666666
• 7654321
• 77777
• 777777
• 7777777
• 77777777
• 87654321
• 88888
• 888888
• 8888888
• 88888888
• 987654321
• 99999
• 999999
• 9999999
• 99999999
• a1b2c3
• aaaaa
• abc123
• academia
• access
• account
• Admin
• admin
• admin1
• admin12
• admin123
• adminadmin
• administrator
• anything
• asddsa
• asdfgh
• asdsa
• asdzxc
• backup
• boss123
• business
• campus
• changeme
• cluster
• codename
• codeword
• coffee
• computer
• controller
• cookie
• customer
• database
• default
• desktop
• domain
• example
• exchange
• explorer
• files
• foobar
• foofoo
• forever
• freedom
• games
• home123
• ihavenopass
• Internet
• internet
• intranet
• killer
• letitbe
• letmein
• Login
• login
• lotus
• love123
• manager
• market
• money
• monitor
• mypass
• mypassword
• mypc123
• nimda
• nobody
• nopass
• nopassword
• nothing
• office
• oracle
• owner
• pass1
• pass12
• pass123
• passwd
• Password
• password
• password1
• password12
• password123
• private
• public
• pw123
• q1w2e3
• qazwsx
• qazwsxedc
• qqqqq
• qwe123
• qweasd
• qweasdzxc
• qweewq
• qwerty
• qwewq
• root123
• rootroot
• sample
• secret
• secure
• security
• server
• shadow
• share
• student
• super
• superuser
• supervisor
• system
• temp123
• temporary
• temptemp
• test123
• testtest
• unknown
• windows
• work123
• xxxxx
• zxccxz
• zxcvb
• zxcvbn
• zxcxz
• zzzzz
• \\[Server Host Name]\ADMIN$\System32\[random filename].[random extension]
• rundll32.exe [random filename].[random extension], [random]
• http://checkip.dyndns.org
• http://getmyip.co.uk
• http://www.getmyip.org
• http://www.whatsmyipaddress.com
• http://%ExternalIPAddress%:%RandomPort%
Creating the HTTP server allows the malware to send out specially crafted packets (exploit code) from the infected machine to other machines. If the exploit is successful, the targeted machine is forced to download a copy of the malware from the first infected machine.
The downloaded malware has one of the following extensions:
• bmp
• gif
• jpeg
• png
It then hooks NetpwPathCanonicalize API in order to avoid exploiting the vulnerability further.
Downloads
Downadup is capable of downloading files onto the infected system. First, the worm connects to one of the following domains to obtain the current system date:
• ask.com
• baidu.com
• google.com
• w3.org
• yahoo.com
It then verifies whether the current date is at least 1 January 2009. If so, it downloads and execute files from:
• http://%PredictableDomainsIPAddress%/search?q=%d
Note: %PredictableDomainsIPAddress% is the domain generated based on the system date.
The downloaded file has the format:
• [random].tmp
Registry
The worm deletes a number of keys from the registry, in order to deactivate the Security Center Notifications and prevent Windows Defender from starting. It also bypasses the Windows Firewall by creating the following registry entry, so that the system can download a copy of the worm:
• HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List, [PortNumber]:TCP = "[PortNumber]:TCP:*Enabled:[random]"
To hide its presence in the system, the worm deletes any System Restore points created by the user, then modifies the following registry keys:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHO WALLCheckedValue = dword:00000000
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost, netsvcs = %Previous data% and %Random%
During infection, the worm may create a temporary (TMP) file in the the System or Temp folders. The TMP file created is registered as a service kernel driver using the following registry entry:
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[random]
Type = dword:00000001
Start = dword:00000003
ErrorControl = dword:00000000
ImagePath = "\...\%MalwarePath%\[random].tmp"
DisplayName = [Random]
Type = dword:00000001
Start = dword:00000003
ErrorControl = dword:00000000
ImagePath = "\...\%MalwarePath%\[random].tmp"
DisplayName = [Random]
Once the key is created, the file %MalwarePath%\[random].tmp is deleted.
An interesting change the worm makes to the registry involves the following registry entries:
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
DisplayName = %ServiceName%
Type = dword:00000020
Start = dword:00000002
ErrorControl = dword:00000000
ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs"
ObjectName = "LocalSystem"
Description = %description%
DisplayName = %ServiceName%
Type = dword:00000020
Start = dword:00000002
ErrorControl = dword:00000000
ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs"
ObjectName = "LocalSystem"
Description = %description%
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[random]\Parameters
ServiceDll = %MalwarePath%
ServiceDll = %MalwarePath%
• Boot
• Center
• Config
• Driver
• Helper
• Image
• Installer
• Manager
• Microsoft
• Monitor
• Network
• Security
• Server
• Shell
• Support
• System
• Task
• Time
• Universal
• Update
• Windows