Analysis by: Ardin Christopher Maglalang
ALIASES:

Worm:Win32/Conficker.B(Micrososft), W32.Downadup.B(Norton), Win32.Worm.Downadup.Gen(Bitdefender), Win32/Conficker.X(ESET)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This worm arrives by connecting affected removable drives to a system. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It modifies certain registry entries to hide Hidden files.

  TECHNICAL DETAILS

File Size: 1,269,760 bytes
File Type: DLL
Memory Resident: Yes

Arrival Details

This worm arrives by connecting affected removable drives to a system.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops a copy of itself in the following folders using different file names:

  • %System%\{Random Filename}.dll

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

Autostart Technique

This worm registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKLM\SYSTEM\CurrentControlSet\
Services\{Random}
DisplayName = "Manager Support"

HKLM\SYSTEM\CurrentControlSet\
Services\{Random}
Type = "32"

HKLM\SYSTEM\CurrentControlSet\
Services\{Random}
Start = "2"

HKLM\SYSTEM\CurrentControlSet\
Services\{Random}
ErrorControl = "0"

HKLM\SYSTEM\CurrentControlSet\
Services\{Random}
ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs"

HKLM\SYSTEM\CurrentControlSet\
Services\{Random}
ObjectName = "LocalSystem"

HKLM\SYSTEM\CurrentControlSet\
Services\{Random}
Description = "Monitors system security settings and configurations."

HKLM\SYSTEM\CurrentControlSet\
Services\{Random}\Parameters
ServiceDll = "%System%\{Random Filename}.dll"

Other System Modifications

This worm modifies the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\BITS
Start = "4"

(Note: The default value data of the said registry entry is "3".)

It modifies the following registry entries to hide files with Hidden attributes:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "2"

(Note: The default value data of the said registry entry is "User Default".)

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\GloballyOpenPorts\
List
3739:TCP = "3739:TCP:*:Enabled:mdqkva"

Propagation

This worm creates the following folders in all removable drives:

  • {Drive Letter}:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\

It drops the following copy(ies) of itself in all removable drives:

  • {Drive Letter}:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\{Random Filename}.{Random Extension}

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

{Garbage Character}
[{Garbage Character}AUTorUN
{Garbage Character}
AcTION
{Garbage Character}
Open folder to view files
{Garbage Character}
%syStEmrOot%\sySTEM32\sHELL32.Dll
{Garbage Character}
shelLExECUte
{Garbage Character}
=RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\{Random Filename}.{Random Extension},{Random Value}
{Garbage Character}
useAuTopLAY{Garbage Character}={Garbage Character}1
{Garbage Character}

Other Details

This worm connects to the following URL(s) to get the affected system's IP address:

  • http://www.whatsmyipaddress.com
  • http://www.whatismyip.org
  • http://www.getmyip.org
  • http://checkip.dyndns.org

It connects to the following possibly malicious URL:

  • http://{Resolve IP Address}/search?q={Number}

It connects to the following time servers to determine the current date:

  • w3.org

It modifies the following registry entries to hide Hidden files:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
SuperHidden = "0"

(Note: The default value data of the said registry entry is "1".)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\
SHOWALL
CheckedValue = "0"

(Note: The default value data of the said registry entry is "1".)

It performs DNS requests to the following sites:

  • {Pseudorandom Characters}.ws
  • {Pseudorandom Characters}.info
  • {Pseudorandom Characters}.cn
  • {Pseudorandom Characters}.cc
  • {Pseudorandom Characters}.com
  • {Pseudorandom Characters}.org
  • {Pseudorandom Characters}.biz
  • {Pseudorandom Characters}.net

  SOLUTION

Minimum Scan Engine: 9.700

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

DAMAGE CLEANUP TEMPLATE

Step 3

Scan your computer with your Trend Micro product to delete files detected as WORM_DOWNAD.ANM. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.