This is the primary variant of the family Conflicker/Downad. This .DLL worm may be downloaded from remote sites by other malware. It may be dropped by other malware. It may also arrive bundled with free software packages as a malware component.
Effects:
- This worm drops a copy of itself Windows system folder using a random file name with the .DLL extension and prevents dropping of several copies of itself on already affected systems.
- It also locks its dropped copy to prevent users from reading, writing, and deleting it.
- It is capable of copying other functions used by other malware.
- It creates a file in the same time as the Windows file KERNEL32.DLL , which is also located in the Windows system folder, and this creation prevents itself from getting noticed as a newly added file on the affected system. It affects only the following operating system with the above created file
- Windows 2000
- Windows XP
- Windows Server 2003
- Windows Server 2003 R2
- If the affected system has a different operating system, this worm checks for SERVICES.EXE in the list of running processes. If it finds that process, it loads itself into it.
- This worm registers itself as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry keys and entries:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random service name}
Image Path = "C:\windows\system32\svchost.exe -k netsvcs" - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random service name}\Parameters
ServiceDll = "{malware path and file name}"
- It adds an entry in the value data of the following entry
The worm propagates identifying the Server Service Vulnerability that allow remote code execution if an affected system received a specially crafted RPC request, which also contains a shellcode. Once this specially crafted RPC request reaches its target vulnerable system, the shellcode is decrypted, and then retrieves certain APIs capable of downloading a copy of the worm from the affected system, which is already converted into an HTTP server.
- During this exploit, a high traffic on TCP port 445 is seen since this is the port that this worm uses.
- This worm is also capable of propagating over the Internet by attempting to send the exploit code to a random Internet address.
- It also attempts to connect any of the following URLs to know the IP address of the affected computer:
- http://checkip.dyndns.org
- http://getmyip.co.uk
- http://www.getmyip.org
It also attempts to connect to http://www.{BLOCKED}d.com/download/geoip/database/GeoIP.dat.gz to download a file that indicates the location of the affected system.
0 comments:
Post a Comment