Worm:Win32/Conficker.B may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.
Its Aliases
- TA08-297A (other)
- CVE-2008-4250 (other)
- VU827267 (other)
- Win32/Conficker.A (CA)
- Mal/Conficker-A (Sophos)
- Trojan.Win32.Agent.bccs (Kaspersky)
- W32.Downadup.B (Symantec)
- Confickr (other)
The name of this threat was derived by selecting fragments of the domain 'trafficconverter.biz', a string found in Worm:Win32/Conficker.A:
(fic)(con)(er) => (con)(fic)(+k)(er) => conficker
Worm:Win32/Conficker.B attempts to copy itself in the Windows system folder as a hidden DLL file using a random name. If the attempt fails, it may then attempt to copy itself with the same parameters in the following folders:
%ProgramFiles%\Internet Explorer
%ProgramFiles%\Movie Maker It creates the following registry entry to ensure that its dropped copy is run every time Windows starts:
Adds value: "<random string>"
With data: "rundll32.exe <system folder>\<malware file name>.dll,<malware parameters>"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
With data: "rundll32.exe <system folder>\<malware file name>.dll,<malware parameters>"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
It may also load itself as a service that is launched when the netsvcs group is loaded by the system file svchost.exe.
It may also load itself as a fake service by registering itself under the following key:
HKLM\SYSTEM\CurrentControlSet\Services
HKLM\SYSTEM\CurrentControlSet\Services
Worm:Win32/Conficker.B is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.
Recommendations From Microsoft:
- Users should apply the update referred to in Security Bulletin MS08-067 immediately.
- Users must ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords.
- Users must apply an update that changes the AutoPlay functionality in Windows to prevent this worm from spreading via USB drives. More information is available in the Microsoft Knowledgebase Article KB971029
Network Shares with Weak Passwords
Worm:Win32/Conficker.B attempts to infect machines within the network. It then attempts to connect to the target machine using each user name and the following weak passwords. Read more To Know The List Of Weak Passwords:
