Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware
Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware
Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware

I-WORM.KIDO (CONFICKER)

 

Name:

I-Worm.Kido (Conficker)

Added:

January 6, 2009

Type:

Worm

Risk:

High

Payload:

Deletes System Restore points, disables security related services, disables windows services, blocks access to security websites

At risk systems:

Windows 95/98/ME/XP/NT/2003

 

 

Description:

 

When I-Worm.Kido is executed, it performs the following activities:

This worm infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled.

It copies itself as one or more of the following files:

%ProgramFiles%\Internet Explorer\{Random Name}.dll
%ProgramFiles%\Movie Maker\{Random Name}.dll
%System%\{Random Name}.dll
%Temp%\{Random Name}.dll
%Documents and Settings%\All Users\Application Data \
{Random Name}.dll


It creates/modifies the following registry entries:

{Random Name} = "rundll32.exe "{Random Name}.dll", ydmmgvos"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Service name = {Random Name}
Display name = {Random Name}
Startup Type = Automatic
ImagePath = "%System%\svchost.exe -k netsvcs"
HKLM\System\CurrentControlSet\Services\{Random Name}

dl = "0"
ds = "0"
HKCU\Software\Microsoft\Windows\CurrentVersion\Applets

dl = "0"
ds = "0"
HKLM\Software\Microsoft\Windows\CurrentVersion\Applets

CheckedValue = "0"
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\
Folder\Hidden\SHOWALL

It also modifies the following registry entries so that the worm spreads rapidly across a network:

TcpNumConnections = "00FFFFFE"
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters

This worm may delete System Restore points created by the user. It disables several important system services and security products.

We strongly recommends that users apply the update. To apply updates user may refer below web address:

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

We also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords.

Following services are disabled or fail to run:

* Windows Update Service
* Background Intelligent Transfer Service
* Windows Defender
* Windows Error Reporting Services

Users may not be able to connect to websites or online services that contain the following strings:

QuickHeal
virus
spyware
malware
rootkit
defender
microsoft
symantec
norton
mcafee
trendmicro
sophos
panda
etrust
networkassociates
computerassociates
f-secure
kaspersky
jotti
f-prot
nod32
eset
grisoft
drweb
centralcommand
ahnlab
esafe
avast
avira
quickheal
comodo
clamav
ewido
fortinet
gdata
hacksoft
hauri
ikarus
k7computing
norman
pctools
prevx
rising
securecomputing
sunbelt
emsisoft
arcabit
cpsecure
spamhaus
castlecops
threatexpert
wilderssecurity
windowsupdate

It connects to the following websites to obtain the IP address of the compromised computer:

http://www.getmyip.org
http://www.whatsmyipaddress.com
http://getmyip.co.uk
http://checkip.dyndns.org
 

 

 

Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware

Home  |  Products  |  Downloads  |  Support  |  Store  |  About Thirtyseven4
Privacy Policy  |  Terms of Use  |  Contact Us

Copyright Thirtyseven4 LLC. 2011  All Rights Reserved

“Delight yourself in the Lord and he will give you the desires of your heart.” Psalm 37:4