January 20, 2011


This is the primary variant of the family Conflicker/Downad. This .DLL worm may be downloaded from remote sites by other malware. It may be dropped by other malware. It may also arrive bundled with free software packages as a malware component.

  • This worm drops a copy of itself Windows system folder using a random file name with the .DLL extension and prevents dropping of several copies of itself on already affected systems.
  • It also locks its dropped copy to prevent users from reading, writing, and deleting it.
  • It is capable of copying other functions used by other malware.
  • It creates a file in the same time as the Windows file KERNEL32.DLL , which is also located in the Windows system folder, and this creation prevents itself from getting noticed as a newly added file on the affected system. It affects only the following operating system with the above created file
  1. Windows 2000
  2. Windows XP
  3. Windows Server 2003
  4. Windows Server 2003 R2
  • If the affected system has a different operating system, this worm checks for SERVICES.EXE in the list of running processes. If it finds that process, it loads itself into it. 

  • This worm registers itself as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry keys and entries:
  1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random service name}
    Image Path = "C:\windows\system32\svchost.exe -k netsvcs" 
  2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random service name}\Parameters
    ServiceDll = "{malware path and file name}"
  • It adds an entry in the value data of the following entry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost

The worm propagates identifying the Server Service Vulnerability that allow remote code execution if an affected system received a specially crafted RPC request, which also contains a shellcode. Once this specially crafted RPC request reaches its target vulnerable system, the shellcode is decrypted, and then retrieves certain APIs capable of downloading a copy of the worm from the affected system, which is already converted into an HTTP server.
  • During this exploit, a high traffic on TCP port 445 is seen since this is the port that this worm uses.
  • This worm is also capable of propagating over the Internet by attempting to send the exploit code to a random Internet address.
It first broadcasts the opened random port that serves as an HTTP server so that it is accessible over the internet and gets the external IP address of the system to check if it has direct connection to the Internet.
  • It also attempts to connect any of the following URLs to know the IP address of the affected computer:
  • http://checkip.dyndns.org
  • http://getmyip.co.uk
  • http://www.getmyip.org

It also attempts to connect to http://www.{BLOCKED}d.com/download/geoip/database/GeoIP.dat.gz to download a file that indicates the location of the affected system.


Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog



Twitter Delicious Facebook Digg Stumbleupon Favorites More