Info on CONFICKER - how to tell if you are infected

Bill · 2009-03-30, 10:02 PM

I thought this was worthwhile enough to pass along...

I keep my machine on autoupdate everything nowadays - I seem to be okay.

The autorun hole that conficker exploits was patched last october, as I understand it.

http://download.nai.com/products/mca...icker_worm.pdf

Finding W32/Conficker.worm

W32/Conficker.worm can often be quickly found by running the following command
from a cmd prompt in the System32 folder/directory:
Dir /ah
Due to the unusual file permissions it sets for itself, it is often easy to identify the worm
using this technique.
Using regedit.exe, navigate to the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services key and look for
service entries with no subfolder. Because W32/Conficker.worm sets restrictive
permissions on subkeys, the malicious service entry will not have a subkey listed.
Another, longer method is to interrogate the netsvcs entry.
In the Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SvcHost
In the details pane, right-click the netsvcs entry, and then click Modify.
Scroll down to the bottom of the list. If the computer is infected with Conficker.b, a
random service name will be listed. For example, in this procedure, we will assume the
name of the malware service is

axsdgfdb. Note the name of the malware service. You
will need this information later in this procedure.
Delete the line that contains the reference to the malware service. Make sure that you
leave a blank line feed under the last legitimate entry that is listed, and then click OK.
Note: All the entries in the following list are valid. Do not delete any of these entries. The
entry that must be deleted will be a randomly generated name that is the last entry in the
list.
1. 6to4

2.

AppMgmt

3.

AudioSrv

4.

Browser

5.

CryptSvc

6.

DMServer

7.

DHCP

8.

…

9.

…

10.

WmdmPmSN

11.

axsdgfdb

The list above was shortened between the two ellipses (…) entries to save space. The list
may contain more than 11 entries.
In a previous procedure, you noted the name of the malware service. In our example, the
name of the malware entry is

axsdgfdb. Using this information, follow these steps:
In the Registry Editor, locate and then click the following registry subkey, where
“BadServiceName” is the name of the malware service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BadServiceName
For example, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ axsdgfdb

Right-click the subkey in the navigation pane for the malware service name, and then
click Permissions.
In the Permissions Entry for the SvcHost dialog box, click Advanced.
In the Advanced Security Settings dialog box, click to select both of the following check
boxes:
Inherit from parent the permission entries that apply to child objects. Include
these with entries explicitly defined here.
Replace permission entries on all child objects with entries shown here that apply
to child objects.
Press F5 to update the Registry Editor. In the details pane, you can now see and edit the
W32/Conficker.worm DLL that loads as ServiceDll. To do this, follow these steps:
Double-click the ServiceDll entry.
Note the path of the referenced DLL. You will need this information later in this
procedure. For example, the path of the referenced DLL may resemble the following:

%SystemRoot%\System32\mxlsaswq.dll

Rename the reference to resemble the following:

%SystemRoot%\System32\ mxlsaswq.old

Click OK.
Remove the malware service entry from the Run subkey in the registry.
In the Registry Editor, locate and then click the following registry subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In both subkeys, locate any entry that begins with rundll32.exe and also references the
malware DLL that loads as ServiceDll, which you identified in the steps above.
Delete the entries.
Exit the Registry Editor, and then restart the computer.
If you see repeated memory detections upon running an On Demand Scan and rebooting
several times does not clear the detection, then you may have a new variant.
Run an On Demand Scan with the latest beta DAT files. We add new
W32/Conficker.worm variants daily.
The latest-generation W32/Conficker.worm uses an autorun.inf file and c:\recycled folder
to reinfect already compromised hosts.
The autorun.inf file appears to be a garbage binary file, but it still works. It is typically
dropped into the recycle folder. Note the similarity in command to that of the Scheduled
Tasks.
Garbage…
shelLExECUte RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-
879315005-3665\jwgkvsq.vmx,ahaezedrn

Garbage…

2009-03-30, 10:02 PM	#1
Bill Selling porn allows me to stay in a constant state of Bliss - ain't that a trip! Join Date: Apr 2003 Posts: 3,914	Info on CONFICKER - how to tell if you are infected I thought this was worthwhile enough to pass along... I keep my machine on autoupdate everything nowadays - I seem to be okay. The autorun hole that conficker exploits was patched last october, as I understand it. http://download.nai.com/products/mca...icker_worm.pdf Finding W32/Conficker.worm W32/Conficker.worm can often be quickly found by running the following command from a cmd prompt in the System32 folder/directory: Dir /ah Due to the unusual file permissions it sets for itself, it is often easy to identify the worm using this technique. Using regedit.exe, navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services key and look for service entries with no subfolder. Because W32/Conficker.worm sets restrictive permissions on subkeys, the malicious service entry will not have a subkey listed. Another, longer method is to interrogate the netsvcs entry. In the Registry Editor, locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost In the details pane, right-click the netsvcs entry, and then click Modify. Scroll down to the bottom of the list. If the computer is infected with Conficker.b, a random service name will be listed. For example, in this procedure, we will assume the name of the malware service is axsdgfdb. Note the name of the malware service. You will need this information later in this procedure. Delete the line that contains the reference to the malware service. Make sure that you leave a blank line feed under the last legitimate entry that is listed, and then click OK. Note: All the entries in the following list are valid. Do not delete any of these entries. The entry that must be deleted will be a randomly generated name that is the last entry in the list. 1. 6to4 2. AppMgmt 3. AudioSrv 4. Browser 5. CryptSvc 6. DMServer 7. DHCP 8. … 9. … 10. WmdmPmSN 11. axsdgfdb The list above was shortened between the two ellipses (…) entries to save space. The list may contain more than 11 entries. In a previous procedure, you noted the name of the malware service. In our example, the name of the malware entry is axsdgfdb. Using this information, follow these steps: In the Registry Editor, locate and then click the following registry subkey, where “BadServiceName” is the name of the malware service: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BadServiceName For example, locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ axsdgfdb Right-click the subkey in the navigation pane for the malware service name, and then click Permissions. In the Permissions Entry for the SvcHost dialog box, click Advanced. In the Advanced Security Settings dialog box, click to select both of the following check boxes: Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here. Replace permission entries on all child objects with entries shown here that apply to child objects. Press F5 to update the Registry Editor. In the details pane, you can now see and edit the W32/Conficker.worm DLL that loads as ServiceDll. To do this, follow these steps: Double-click the ServiceDll entry. Note the path of the referenced DLL. You will need this information later in this procedure. For example, the path of the referenced DLL may resemble the following: %SystemRoot%\System32\mxlsaswq.dll Rename the reference to resemble the following: %SystemRoot%\System32\ mxlsaswq.old Click OK. Remove the malware service entry from the Run subkey in the registry. In the Registry Editor, locate and then click the following registry subkeys: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run In both subkeys, locate any entry that begins with rundll32.exe and also references the malware DLL that loads as ServiceDll, which you identified in the steps above. Delete the entries. Exit the Registry Editor, and then restart the computer. If you see repeated memory detections upon running an On Demand Scan and rebooting several times does not clear the detection, then you may have a new variant. Run an On Demand Scan with the latest beta DAT files. We add new W32/Conficker.worm variants daily. The latest-generation W32/Conficker.worm uses an autorun.inf file and c:\recycled folder to reinfect already compromised hosts. The autorun.inf file appears to be a garbage binary file, but it still works. It is typically dropped into the recycle folder. Note the similarity in command to that of the Scheduled Tasks. Garbage… shelLExECUte RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988- 879315005-3665\jwgkvsq.vmx,ahaezedrn Garbage…