Posts Tagged ‘Malwares’

Conficker worm on its pursuit updates itself !

March 19th, 2009 3 comments

Conficker B++, evil twin of Conficker, also known as W32/Conficker.worm, Downup, W32.Downadup and Kido, is a worm that takes advantage of Windows security vulnerability called MS08-067 in order to spread itself across networks. Once infected, Conficker may disable Windows system services such as Windows Defender, Automatic Backup, Windows Error Reporting, and Windows Automatic Update. Conficker could block certain security websites and may install further malware on your computer.


Conficker A (left) /B (right): Top-level control flow

Source :

Conficker B uses a different set of sites to query its external-facing IP address,,,  It does not download the fraudware Antivirus XP software that version A attempts to download.   Conficker’s propagation methods vary among A and B.
Like Conficker A, after a relatively short initialization phase  followed by a scan and infect stage,  Conficker B proceeds to generate a daily list of domains to probe for the download of an additional payload.

A New Backdoor Service
Conficker B++ has added a new method for remote Win32 binary retrieval and execution.  This new method entails the use a named pipe to receiving URLs from remote systems, retrieval of Win32 binaries using this URL, validation that the downloaded executable is properly signed by the Conficker authors, and immediate execution of the binary.

The new Conficker variant adds an extra function to the main thread if the OS is Windows XP, Windows 2000, or Windows 2003 Server

Conficker is known to block access to over 100 anti-virus and security websites.

OpenDNS, the free DNS service, plans to start blocking the Conficker worm’s attempts to connect to potential control servers using a predicted address list provided by Kaspersky. According to The Register, the new free service will also be able to alert administrators to the presence of the Conficker worm and assist them in locating infected machines.

Microsoft offers $250,000 reward for information leading to the arrest and conviction for the cybercriminals responsible for the fast spreading Conficker/Downadup worm.

Computer users who already have their Automatic Update feature turned on for Microsoft Windows Update may not be vulnerable to the Conficker worm. Upon detection of the Conficker worm, it is recommended that you configure your computer to receive critical updates and patches from Microsoft and run a full scan with an up-to-date version of your anti-virus or anti-malware program. Conficker may attempt to recreate itself on reboot.

Download Free Conficker Removal Tool
Download Free Conficker Removal Tool


Joe Stewart from the Conficker Working Group has created an eye chart that allows for online identification of Conficker B and C infections. The idea is to load content from sites that are blocked by Conficker.

Check now

If you can see all six images in both rows of the top table, you are either not infected by Conficker, or you may be using a proxy server, in which case you will not be able to use this test to make an accurate determination, since Conficker will be unable to block you from viewing the AV/security sites.

Possibly Related Posts:

Conficker (AKA Downadup or Kido) Infections shooting to an estimate of 9 million

January 21st, 2009 No comments

Experts are warning that hackers have yet to activate the payload of the Conficker virus.

The worm is spreading through low security networks, memory sticks, and PCs without the latest security updates.


The worm can also spread via USB flash drives


According to Microsoft, the worm works by searching for a Windows executable file called “services.exe” and then becomes part of that code.

It then copies itself into the Windows system folder as a random file of a type known as a “dll”. It gives itself a 5-8 character name, such as piftoc.dll, and then modifies the Registry, which lists key Windows settings, to run the infected dll file as a service.

Once the worm is up and running, it creates an HTTP server, resets a machine’s System Restore point (making it far harder to recover the infected system) and then downloads files from the hacker’s web site.

The worm disables system restore, blocks access to security websites, and downloads additional malware to infected machines.

Most malware uses one of a handful of sites to download files from, making them fairly easy to locate, target, and shut down.

But Conficker does things differently.

Anti-virus firm F-Secure says that the worm uses a complicated algorithm to generate hundreds of different domain names every day, such as,, and Only one of these will actually be the site used to download the hackers’ files. On the face of it, tracing this one site is almost impossible.

Kaspersky Lab’s security analyst Eddy Willems said that a new strain of the worm was complicating matters.

“There was a new variant released less than two weeks ago and that’s the one causing most of the problems,” said Mr Willems

“The replication methods are quite good. It’s using multiple mechanisms, including USB sticks, so if someone got an infection from one company and then takes his USB stick to another firm, it could infect that network too. It also downloads lots of content and creating new variants though this mechanism.

“Of course, the real problem is that people haven’t patched their software,” he added.

Microsoft says that the malware has infected computers in many different parts of the world, with machines in China, Brazil, Russia, and India having the highest number of victims.

The Downadup worm that exploits a months-old Windows bug/vulnerability has infected more than a million PCs in the past 24 hours, a security company said today. Aliases of the worm are Worm.Conficker [PCTools], W32.Downadup [Symantec], Net-Worm.Win32.Kido.ih [Kaspersky Lab], W32/Conficker.worm [McAfee], W32/Confick-A [Sophos], Worm:Win32/Conficker.A [Microsoft], Worm.Win32.Conficker [Ikarus]

Keep your Windows and Antivirus definition updated.

If you’re a victim of this worm, you could visit F-Secure’s Malware Information page for more information for its removal from your computer system.

Source : BBC News

Possibly Related Posts: