Net-Worm.Win32.Kido / Conficker.A-C Worm
From Total Malware Info
Editing Net-Worm.Win32.Kido is an Internet worm that spreads through removable drives and network channels. It is Windows (PE DLL-file). The file is from 56,320 to 162,528 bytes. Depending on the version can be packed by UPX.
Net-Worm.Win32.Kido also known as Conficker.A-C Worm.
Contents |
Installation
Once launched, the Trojan copies itself to the Windows system folders, such as:
%System%\<rnd>.dll %Program Files%\Internet Explorer\<rnd>.dll %Program Files%\Movie Maker\<rnd>].dll %All Users Application Data%\<rnd>.dll %Temp%\<rnd>.dll %System%\<rnd>.tmp %Temp%\<rnd>.tmp
where <rnd> — random sequence of characters.
All versions of the worm modify the following registry values:
- Disable the displaying of hidden files and folders:
[HKCR\ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "Hidden" = "dword: 0x00000002" "SuperHidden" = "dword: 0x00000000" [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] "CheckedValue" = "dword: 0x00000000"
In some versions also changes the following values (e.g. Net-Worm.Win32.Kido.be):
- Show archived files and folders in another color:
[HKCR\ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "ShowCompColor" = "1"
- Hide the extension for registered file types:
[HKCR\ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "HideFileExt" = "1"
- Changes the control of case for folder and file names:
[HKCR\ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "DontPrettyPath" = "1"
Add the reference to itself as a service:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost] "netsvcs"="<previous value> <worm service name>"
that purpose the worm also creates the service key:
[HKLM\SYSTEM\CurrentControlSet\Services\<%rnd%>] "Description"="<описание одной из системных служб>" "DisplayName" ="Manager Security" "ImagePath" = REG_EXPAND_SZ, "%SystemRoot%\system32\svchost.exe -k netsvcs" "Start" ="dword:0x00000002" [HKLM\SYSTEM\CurrentControlSet\Services\<%rnd%>\Parameters] "ServiceDll"="%System%\<%rnd%>.dll"
where %rnd% — random sequence of characters.
The service name is a combination of the following words:
- Boot
- Center
- Config
- Driver
- Helper
- Image
- Installer
- Manager
- Microsoft
- Monitor
- Network
- Security
- Server
- Shell
- Support
- System
- Task
- Time
- Universal
- Update
- Windows
For example:
Payload
The worm is equipped with antidebbuging protection and determines the presence of a virtual environment.
Disable the following services depending on the version:
- Windows Automatic Update Service (wuauserv)
- Background Intelligent Transfer Service (BITS)
- Windows Security Center Service (wscsvc)
- Windows Defender Service (WinDefend, WinDefender)
- Windows Error Reporting Service (ERSvc)
- Windows Error Reporting Service (WerSvc)
To do this, it changes the initial value of Start for each service:
- "Start" ="dword:0x00000004"
In last versions the worm also terminates the processes with the following strings in names:
- wireshark
- unlocker
- tcpview
- sysclean
- scct_
- regmon
- procmon
- procexp
- ms08-06
- mrtstub
- mrt.
- mbsa.
- klwk
- kido
- kb958
- kb890
- hotfix
- gmer
- filemon
- downad
- confick
- avenger
- autoruns
For Windows Vista disables TCP/IP stack autoconfiguration in order to accelerate its propogation through the network, using fixed TCP frame size of packet:
netsh interface tcp set global autotuning=disabled
The worm injects its code into the svchost.exe (also in explorer.exe, services.exe):
The worm extracts the driver TcpIp_Pref driver, which serves to provide direct access to the network. It is 4096 bytes. Driver is accesed by the following symbolic links:
- \\.\DosDevices\TcpIp_Perf
- \\.\Devices\TcpIp_Perf
The worm also sets a trap for the following API calls (from the library dnsrslvr.dll) in order to block the access to the list of user domains:
- DNS_Query_A
- DNS_Query_UTF8
- DNS_Query_W
- Query_Main
- sendto
In such way it blocks the websites with the following lines in domain name:
- ahnlab
- arcabit
- avast
- avg
- avira
- avp
- bit9
- ca
- castlecops
- centralcommand
- cert
- clamav
- comodo
- computerassociates
- cpsecure
- defender
- drweb
- emsisoft
- esafe
- eset
- etrust
- ewido
- fortinet
- f-prot
- f-secure
- gdata
- grisoft
- hacksoft
- hauri
- ikarus
- jotti
- k7computing
- kaspersky
- malware
- mcafee
- microsoft
- nai
- networkassociates
- nod32
- norman
- norton
- panda
- pctools
- prevx
- quickheal
- rising
- rootkit
- sans
- securecomputing
- sophos
- spamhaus
- spyware
- sunbelt
- symantec
- threatexpert
- trendmicro
- vet
- virus
- wilderssecurity
- windowsupdate
As the result the user cannot open the websites where the antivirus updates or special removal utilities are placed.
The worm checks the connection to the Internet, visiting the following sites:
- 2ch.net
- 4shared.com
- 56.com
- adsrevenue.net
- adultadworld.com
- adultfriendfinder.com
- aim.com
- alice.it
- allegro.pl
- ameba.jp
- ameblo.jp
- answers.com
- apple.com
- ask.com
- aweber.com
- awempire.com
- badongo.com
- badoo.com
- bbc.co.uk
- bebo.com
- biglobe.ne.jp
- bigpoint.com
- blogfa.com
- clicksor.com
- comcast.net
- conduit.com
- craigslist.org
- cricinfo.com
- dell.com
- depositfiles.com
- digg.com
- disney.go.com
- doubleclick.com
- download.com
- ebay.co.uk
- ebay.com
- ebay.de
- ebay.it
- espn.go.com
- facebook.com
- fastclick.com
- fc2.com
- files.wordpress.com
- flickr.com
- fotolog.net
- foxnews.com
- friendster.com
- geocities.com
- go.com
- goo.ne.jp
- google.com
- googlesyndication.com
- gougou.com
- hi5.com
- hyves.nl
- icq.com
- imageshack.us
- imagevenue.com
- imdb.com
- imeem.com
- ioctlsocket
- kaixin001.com
- kooora.com
- linkbucks.com
- linkedin.com
- live.com
- livedoor.com
- livejasmin.com
- livejournal.com
- mail.ru
- mapquest.com
- mediafire.com
- megaclick.com
- megaporn.com
- megaupload.com
- metacafe.com
- metroflog.com
- miniclip.com
- mininova.org
- mixi.jp
- msn.com
- multiply.com
- myspace.com
- mywebsearch.com
- narod.ru
- naver.com
- nba.com
- netflix.com
- netlog.com
- nicovideo.jp
- ning.com
- odnoklassniki.ru
- orange.fr
- partypoker.com
- paypopup.com
- pconline.com.cn
- pcpop.com
- perfspot.com
- photobucket.com
- pogo.com
- pornhub.com
- rambler.ru
- rapidshare.com
- recvfrom
- rediff.com
- reference.com
- sakura.ne.jp
- seesaa.net
- seznam.cz
- skyrock.com
- sonico.com
- soso.com
- sourceforge.net
- studiverzeichnis.com
- tagged.com
- taringa.net
- terra.com.br
- thepiratebay.org
- tianya.cn
- tinypic.com
- torrentz.com
- tribalfusion.com
- tube8.com
- tudou.com
- tuenti.com
- typepad.com
- ucoz.ru
- veoh.com
- verizon.net
- vkontakte.ru
- vnexpress.net
- wikimedia.org
- wikipedia.org
- wordpress.com
- xhamster.com
- xiaonei.com
- xnxx.com
- xvideos.com
- yahoo.co.jp
- yahoo.com
- yandex.ru
- youporn.com
- youtube.com
- zedo.com
- ziddu.com
- zshare.net
If the connection is established, the worm downloads its updates from the following URL if the file the necessary worm signature:
- http://<URL>/search?q=<%rnd2%>
The URL is formed according to special algorithm based on current date information.
The worm retrieves current date from the following domains:
- http://www.w3.org
- http://www.ask.com
- http://www.yahoo.com
- http://www.google.com
- http://www.baidu.com
As a result the algorithm generates a lot of domain names, many of them are resolved (during 30 minutes of work it has been received more than 40 real domain names):
The worm also has a special blacklist that IP addresses of antivirus companies and other software and security companies (Microsoft, Computer Associates, McAfee, Symantec, Trend Micro, F-Secure, Eset, Sunbelt Software, etc). There are 399 blacklisted IP subnets.
To check its presence in the system creates the following unique identifier:
- Global\%rnd%-%rnd%
In earlier versions of the worm (Net-Worm.Win32.Kido.a) the file was loaded by the following link:
Network Propagation
In order to determine the external IP address of the infected system the worm connects to the following servers:
- http://www.getmyip.org
- http://www.whatsmyipaddress.com
- http://www.whatismyip.org
- http://checkip.dyndns.org
After that the worm runs an HTTP server on an arbitrary TCP port, which is used to download an executable file of the worm to other computers.
To ensure global access to a running server searches and configuring the Internet gateway:
The copies have following extensions:
- bmp
- gif
- jpeg
- png
Adds the value to the firewall policy in the registry, which contains the information about the ports used:
[HKLM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "7417:TCP "="7417:TCP:*:Enabled:<%rnd%>"
Worm gets a list of IP addresses of computers in network environment and attacks them using a buffer overflow vulnerability MS08-067 in service "Server" (http://www.microsoft.com/technet/security/Bulletin/MS08-067. mspx). To do this, the worm sends a remote machine specially crafted RPC-request on TCP port 445 (MICROSOFT_DS), which causes a buffer overflow in the function call in wcscpy_s NetpwPathCanonicalize () (library netapi32.dll), resulting in running a special downloader code. It downloads the worm's executable file from the infected machine and launches it on target machine.
To accelerate the spreading the worm modifies the following registry value:
[HKLM\ SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] "TcpNumConnections" = "dword:0x00FFFFFE"
Also worm can propagate by copying itself to admin shares. To do this, the worm searches for a suitable computer in the network and obtains for him a list of usernames. For each user account name consistently enumerates the passwords from the dictionary, containing 245 passwords.
When the administrator access is granted, the worm copies itself to the following shared folders:
\\< host IP >\ADMIN$\System32\<rnd>.<rnd> \\<host IP>\IPC$\<rnd>.<rnd>
Then the worm's file can be run or scheduled to run remotely using the following command:
rundll32.exe <path to worm file>, <rnd>
Removable Drive Spreading
Copies its executable file to all removable drives with the following name:
- <X>:\RECYCLER\S-<%d%>-<%d%>-<%d%>-<%d%>-<%d%>-<%d%>-<%d%>\<rnd>.vmx
where rnd — random string of characters, d — random number, X — removable drive letter; and:
- <X>:\autorun.inf
The autorun script launches the worm's file, each time the user opens the infected disk using the "Explore".
Removal Instructions
- Delete the worm’s service reference from the following value:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost] "netsvcs"="<previous value> <worm service name>"
- Reboot the system.
- Delete the service key of the worm:
[HKLM\SYSTEM\CurrentControlSet\Services\<%rnd%>]
- Restore the following values in registry:
[HKCR\ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "Hidden" = "dword: 0x00000002" "SuperHidden" = "dword: 0x00000000"
to
[HKCR\ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "Hidden" = "dword: 0x00000001" "SuperHidden" = "dword: 0x00000001"
Then restore the key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] "CheckedValue" = "dword: 0x00000000"
to
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] "CheckedValue" = "dword: 0x00000001"
- Delete worm files:
%System%\<rnd>.dll %Program Files%\Internet Explorer\<rnd>.dll %Program Files%\Movie Maker\<rnd>].dll %All Users Application Data%\<rnd>.dll %Temp%\<rnd>.dll %System%\<rnd>.tmp %Temp%\<rnd>.tmp
where <rnd> — random string of characters.
- Delete worm files from all removable drives:
<X>:\autorun.inf <X>:\RECYCLER\S-<%d%>-<%d%>-<%d%>-<%d%>-<%d%>-<%d%>-<%d%>\<rnd>.vmx.
- Restore launching of the following Windows services if necessary:
wscsvc - Security Center wuauserv - Automatic updates BITS - Background Intelligent Transfer Service WinDefend - Windows Defender ERSvc - Error Reporting Service WerSvc - Windows Error Reporting Service
- Download and install Windows update: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
Video
See more videos at www.youtube.com/user/dntlab.
