Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Conficker.AX

Aliases:Trojan-Ransom.Win32.XBlocker.zu (Kaspersky), W32.Downadup (Symantec), Ransom!cn trojan (McAfee) 
Type of infiltration:Worm  
Size:212438 B 
Affected platforms:Microsoft Windows 
Signature database version:5109 (20100512) 

You can download the removal tool here:
download

Short description

Win32/Conficker.AX is a worm that spreads via shared folders and removable media. It connects to remote machines in attempt to exploit the Server Service vulnerability.

Installation

When executed, the worm copies itself in some of the the following locations:
  • %system%%variable%.dll
  • %programfiles%Internet Explorer%variable%.dll
  • %programfiles%Movie Maker%variable%.dll
  • %appdata%%variable%.dll
  • %temp%%variable%.dll
A string with variable content is used instead of %variable%.

The worm loads and injects the %variable%.dll library into the following processes:
  • explorer.exe
  • services.exe
  • svchost.exe
The worm registers itself as a system service with the name combined from the following strings:
  • Boot
  • Center
  • Config
  • Driver
  • Helper
  • Image
  • Boot
  • Center
  • Config
  • Driver
  • Helper
  • Image
  • Installer
  • Manager
  • Microsoft
  • Monitor
  • Network
  • Security
  • Server
  • Shell
  • Support
  • System
  • Task
  • Time
  • Universal
  • Update
  • Windows
In order to be executed on every system start, the worm sets the following Registry entry:
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
    Run]
    "%variable_name%" = "rundll32.exe
    "%system%%variable%.dll",%random_string%"
The following Registry entries are set:
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    %random service name%Parameters]
    "ServiceDll" = "%system%%variable%.dll"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    %random service name%]
    "Image Path" = "%System Root%system32svchost.exe -k
    netsvcs"
    "DisplayName" = "%variable service name%"
    "Type" = 32
    "Start" = 2
    "ErrorControl" = 0
    "ObjectName" = "LocalSystem"
    "Description" = "%variable_name%"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    %random service name%Parameters]
    "ServiceDll" = "%system%%variable%.dll"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    %random service name%]
    "Image Path" = "%System Root%system32svchost.exe -k
    netsvcs"
    "DisplayName" = "%variable service name%"
    "Type" = 32
    "Start" = 2
    "ErrorControl" = 0
    "ObjectName" = "LocalSystem"
    "Description" = "%variable_name%"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    TcpipParameters]
    "TcpNumConnections" = 16777214
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    explorerAdvancedFolderHiddenSHOWALL]
    "CheckedValue" = 0
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    Applets]
    "dl" = 0
    "ds" = 0
  • [HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersion
    Applets]
    "dl" = 0
    "ds" = 0
A string with variable content is used instead of %random service name%.

Spreading

The worm starts a HTTP server on a random port.

By connecting to remote machines to port TCP 139, 445 it tries to exploit the Server Service.

If successful, the remote computer attempts to connect to the infected computer and download a copy of the worm .

It is a DLL library with the following extension:
  • .bmp
  • .gif
  • .jpeg
  • .png
This vulnerability is described in Microsoft Security Bulletin MS08-067 .

Spreading via shared folders

The worm tries to copy itself into shared folders of machines on a local network.

The following usernames are used:
  • %username%
The following passwords are used:
  • 123
  • 1234
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123
  • 1234
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
  • 123123
  • 12321
  • 123321
  • 123abc
  • 123qwe
  • 123asd
  • 1234abcd
  • 1234qwer
  • 1q2w3e
  • a1b2c3
  • admin
  • Admin
  • administrator
  • nimda
  • qwewq
  • qweewq
  • qwerty
  • qweasd
  • asdsa
  • asddsa
  • asdzxc
  • asdfgh
  • qweasdzxc
  • q1w2e3
  • qazwsx
  • qazwsxedc
  • zxcxz
  • zxccxz
  • zxcvb
  • zxcvbn
  • passwd
  • password
  • Password
  • login
  • Login
  • pass
  • mypass
  • mypassword
  • adminadmin
  • root
  • rootroot
  • test
  • testtest
  • temp
  • temptemp
  • foofoo
  • foobar
  • default
  • password1
  • password12
  • password123
  • admin1
  • admin12
  • admin123
  • pass1
  • pass12
  • pass123
  • root123
  • pw123
  • abc123
  • qwe123
  • test123
  • temp123
  • mypc123
  • home123
  • work123
  • boss123
  • love123
  • sample
  • example
  • internet
  • Internet
  • nopass
  • nopassword
  • nothing
  • ihavenopass
  • temporary
  • manager
  • business
  • oracle
  • lotus
  • database
  • backup
  • owner
  • computer
  • server
  • secret
  • super
  • share
  • superuser
  • supervisor
  • office
  • shadow
  • system
  • public
  • secure
  • security
  • desktop
  • changeme
  • codename
  • codeword
  • nobody
  • cluster
  • customer
  • exchange
  • explorer
  • campus
  • money
  • access
  • domain
  • letmein
  • letitbe
  • anything
  • unknown
  • monitor
  • windows
  • files
  • academia
  • account
  • student
  • freedom
  • forever
  • cookie
  • coffee
  • market
  • private
  • games
  • killer
  • controller
  • intranet
  • work
  • home
  • job
  • foo
  • web
  • file
  • sql
  • aaa
  • aaaa
  • aaaaa
  • qqq
  • qqqq
  • qqqqq
  • xxx
  • xxxx
  • xxxxx
  • zzz
  • zzzz
  • zzzzz
  • fuck
  • 12
  • 21
  • 321
  • 4321
  • 54321
  • 654321
  • 7654321
  • 87654321
  • 987654321
  • 0987654321
  • 0
  • 00
  • 000
  • 0000
  • 00000
  • 000000
  • 0000000
  • 00000000
  • 1
  • 11
  • 111
  • 1111
  • 11111
  • 111111
  • 1111111
  • 11111111
  • 2
  • 22
  • 222
  • 2222
  • 22222
  • 222222
  • 2222222
  • 22222222
  • 3
  • 33
  • 333
  • 3333
  • 33333
  • 333333
  • 3333333
  • 33333333
  • 4
  • 44
  • 444
  • 4444
  • 44444
  • 444444
  • 4444444
  • 44444444
  • 5
  • 55
  • 555
  • 5555
  • 55555
  • 555555
  • 5555555
  • 55555555
  • 6
  • 66
  • 666
  • 6666
  • 66666
  • 666666
  • 6666666
  • 66666666
  • 7
  • 77
  • 777
  • 7777
  • 77777
  • 777777
  • 7777777
  • 77777777
  • 8
  • 88
  • 888
  • 8888
  • 88888
  • 888888
  • 8888888
  • 88888888
  • 9
  • 99
  • 999
  • 9999
  • 99999
  • 999999
  • 9999999
  • 99999999
The following filename is used:
  • \%hostname%ADMIN$System32%variable%.dll
The worm schedules a task that causes the following file to be executed daily:
  • rundll32.exe %variable%.dll, %random_string%

Spreading on removable media

The worm copies itself into existing folders of removable drives.

The following filename is used:
  • %drive%RECYCLERS-%variable1%%variable2%.%variable3%
A string with variable content is used instead of %variable1-3%.

The worm creates the following file:
  • %drive%autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The following services are disabled:
  • Windows Security Center Service (wscsvc)
  • Windows Automatic Update Service (wuauserv)
  • Background Intelligent Transfer Service (BITS)
  • Windows Defender Service (WinDefend)
  • Windows Error Reporting Service (ERSvc)
  • Windows Error Reporting Service (WerSvc)
The worm launches the following processes:
  • netsh interface tcp set global autotuning=disabled
The worm blocks access to any domains that contain any of the following strings in their name:
  • ahnlab
  • arcabit
  • avast
  • avira
  • castlecops
  • centralcommand
  • ahnlab
  • arcabit
  • avast
  • avira
  • castlecops
  • centralcommand
  • clamav
  • comodo
  • computerassociates
  • cpsecure
  • defender
  • drweb
  • emsisoft
  • esafe
  • eset
  • etrust
  • ewido
  • fortinet
  • f-prot
  • f-secure
  • gdata
  • grisoft
  • hacksoft
  • hauri
  • ikarus
  • jotti
  • k7computing
  • kaspersky
  • malware
  • mcafee
  • microsoft
  • networkassociates
  • nod32
  • norman
  • norton
  • panda
  • pctools
  • prevx
  • quickheal
  • rising
  • rootkit
  • securecomputing
  • sophos
  • spamhaus
  • spyware
  • sunbelt
  • symantec
  • threatexpert
  • trendmicro
  • virus
  • wilderssecurity
  • windowsupdate
  • avg.
  • avp.
  • bit9.
  • ca.
  • cert.
  • sans.
  • vet.
The worm will attempt to download several files from the Internet. The files are then executed.

The worm runs only encrypted and properly signed files.

These are stored in the following locations:
  • %temp%%variable%.tmp
A string with variable content is used instead of %variable%.

The worm may set the following Registry entries:
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    SharedAccessParametersFirewallPolicyStandardProfile
    GloballyOpenPortsList]
    "%port number%:TCP" = "%port
    number%:TCP:*:Enabled:%variable%"
The performed command creates an exception in the Windows Firewall.

The worm connects to the following addresses:
  • http://checkip.dyndns.org
  • http://www.whatismyip.org
  • http://www.whatsmyipaddress.com
  • http://www.getmyip.org
  • http://baidu.com
  • http://google.com
  • http://checkip.dyndns.org
  • http://www.whatismyip.org
  • http://www.whatsmyipaddress.com
  • http://www.getmyip.org
  • http://baidu.com
  • http://google.com
  • http://yahoo.com
  • http://msn.com
  • http://ask.com
  • http://w3.org