Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

You can download the removal tool here .
Short description
Win32/Conficker.X is a worm that repeatedly tries to connect to various web pages. It tries to download several files from the addresses. It can be controlled remotely.
Installation
When executed, the worm copies itself in some of the the following locations:
  • %system%\%variable%.dll
  • %program files%\Internet Explorer\%variable%.dll
  • %program files%\Movie Maker\%variable%.dll
  • %program files%\Windows NT\%variable%.dll
  • %appdata%\%variable%.dll
  • %temp%\%variable%.dll
A string with variable content is used instead of %variable% .

The worm loads and injects the %variable%.dll library into the following processes:
  • explorer.exe
  • services.exe
  • svchost.exe
The worm registers itself as a system service with the name combined from the following strings:
  • App
    Audio
    DM
    ER
    Event

The service Display Name consists of some of the following strings:
  • 64
  • Adobe
  • Agent
  • App
  • Assemblies
In order to be executed on every system start, the worm sets the following Registry entries:
  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run]
    "%random1%" = "rundll32.exe "%variable%.dll",%random2%"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run]
    "%random1%" = "rundll32.exe "%variable%.dll",%random2%"
%random1-2% stands for a random text.

The following Registry entries are set:
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%random
    service name%\Parameters]
    "ServiceDll" = "%system%\%variable%.dll"
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%random
    service name%]
    "Image Path" = "%System Root%\system32\svchost.exe -k netsvcs"
The following Registry entries are deleted:
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
    SafeBoot]
  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\explorer\ShellServiceObjects\
    {FD6905CE-952F-41F1-9A6F-135D9C6622CC}]
    "wscsvc" = "%filepath%"
  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run]
    "Windows Defender" = "%filepath%"
Other information
The worm terminates processes with any of the following strings in the name:
  • autoruns
  • avenger
  • confick
  • downad
  • filemon
The following services are disabled:
  • Windows Security Center Service (wscsvc)
  • Windows Automatic Update Service (wuauserv)
  • Background Intelligent Transfer Service (BITS)
  • Windows Defender Service (WinDefend)
  • Windows Error Reporting Service (ERSvc)
  • Windows Error Reporting Service (WerSvc)
The worm connects to the following addresses:
  • 2ch.net
  • 4shared.com
  • 56.com
  • adobe.com
  • adsrevenue.net
The worm connects to the following servers to obtain the current date and time:
  • ask.com
  • baidu.com
  • facebook.com
  • google.com
  • imageshack.us
The worm blocks access to any domains that contain any of the following strings in their name:
  • agnitum
  • ahnlab
  • anti-
  • antivir
  • arcabit
If the current system date and time matches certain conditions, the worm will attempt to download several files from the Internet.

The URL address is generated randomly. The top-level domain is chosen from the following list:
  • .ac
  • .ae
  • .ag
  • .am
  • .as

The worm runs only encrypted and properly signed files. The file is stored into the following folder:
  • %temp%
If successful the following filename is used:
  • %variable%.tmp
A string with variable content is used instead of %variable% .

The worm contains a list of blacklisted IP addresses.

The worm opens a random TCP, UDP port.

The worm receives data and instructions for further action from the Internet or another remote computer within its own network (botnet).