Selected viruses, spyware, and other threats: sorted alphabetically
You can download the removal tool here . A string with variable content is used instead of %variable% .
The worm loads and injects the %variable%.dll library into the following processes:The worm registers itself as a system service with the name combined from the following strings:
The service Display Name consists of some of the following strings:In order to be executed on every system start, the worm sets the following Registry entries: %random1-2% stands for a random text.
The following Registry entries are set:The following Registry entries are deleted: The following services are disabled: The worm connects to the following addresses: The worm connects to the following servers to obtain the current date and time: The worm blocks access to any domains that contain any of the following strings in their name: If the current system date and time matches certain conditions, the worm will attempt to download several files from the Internet.
The URL address is generated randomly. The top-level domain is chosen from the following list:
The worm runs only encrypted and properly signed files. The file is stored into the following folder:If successful the following filename is used: A string with variable content is used instead of %variable% .
The worm contains a list of blacklisted IP addresses.
The worm opens a random TCP, UDP port.
The worm receives data and instructions for further action from the Internet or another remote computer within its own network (botnet).
Short description
Win32/Conficker.X is a worm that repeatedly tries to connect to various web pages. It tries to download several files from the addresses. It can be controlled remotely. Installation
When executed, the worm copies itself in some of the the following locations: - %system%\%variable%.dll
- %program files%\Internet Explorer\%variable%.dll
- %program files%\Movie Maker\%variable%.dll
- %program files%\Windows NT\%variable%.dll
- %appdata%\%variable%.dll
- %temp%\%variable%.dll
The worm loads and injects the %variable%.dll library into the following processes:
- explorer.exe
- services.exe
- svchost.exe
- App
Audio
DM
ER
Event
The service Display Name consists of some of the following strings:
- 64
- Adobe
- Agent
- App
- Assemblies
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"%random1%" = "rundll32.exe "%variable%.dll",%random2%" - [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run]
"%random1%" = "rundll32.exe "%variable%.dll",%random2%"
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%random
service name%\Parameters]
"ServiceDll" = "%system%\%variable%.dll" - [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%random
service name%]
"Image Path" = "%System Root%\system32\svchost.exe -k netsvcs"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
SafeBoot] - [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\explorer\ShellServiceObjects\
{FD6905CE-952F-41F1-9A6F-135D9C6622CC}]
"wscsvc" = "%filepath%" - [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"Windows Defender" = "%filepath%"
Other information
The worm terminates processes with any of the following strings in the name: - autoruns
- avenger
- confick
- downad
- filemon
- Windows Security Center Service (wscsvc)
- Windows Automatic Update Service (wuauserv)
- Background Intelligent Transfer Service (BITS)
- Windows Defender Service (WinDefend)
- Windows Error Reporting Service (ERSvc)
- Windows Error Reporting Service (WerSvc)
- 2ch.net
- 4shared.com
- 56.com
- adobe.com
- adsrevenue.net
- ask.com
- baidu.com
- facebook.com
- google.com
- imageshack.us
- agnitum
- ahnlab
- anti-
- antivir
- arcabit
The URL address is generated randomly. The top-level domain is chosen from the following list:
- .ac
- .ae
- .ag
- .am
- .as
The worm runs only encrypted and properly signed files. The file is stored into the following folder:
- %temp%
- %variable%.tmp
The worm contains a list of blacklisted IP addresses.
The worm opens a random TCP, UDP port.
The worm receives data and instructions for further action from the Internet or another remote computer within its own network (botnet).
