It does this by modifying the following registry entry: Win32/Conficker.C changes system settings so you cannot view hidden files. The worm creates a thread that continuously accepts URLs from the pipe to download, authenticate, and run files. Win32/Conficker.C creates a named pipe with the following name on Windows 2000: The payload only runs if it is successfully validated by the malware.įor non- Windows 2000 machines, the worm downloads the file and runs it if it passes authentication. Win32/Conficker.C checks for a specific pattern in incoming shellcode (to identify if the origin is valid) and a URL to download an updated payload from. The vulnerability is documented in Microsoft Security Bulletin MS08-067. If the vulnerability is successfully exploited, the worm instructs the target computer to download a copy of the worm from the host computer via HTTP using the random port between 100 opened by the worm. Worm:Win32/Conficker.C spreads to systems that are not yet patched against a vulnerability in the Windows Server service ( svchost.exe). The highlighted choice under " General options" in the image above would allow a user to view the share and not run the worm. Another hint that the action is to run the worm is the text " Publisher not specified". Note that the language in the first option suggests the user could " Open folder to view files" however the option is under " Install or run program", an indication that opening the folder will actually run an application. dll," to activate the copy, as shown in the images below: dll.Īfter remotely infecting a computer, Win32/Conficker.C creates a remotely scheduled job with the command “rundll32.exe. If Win32/Conficker.C successfully accesses the target machine, for example, if a combination of any of the user names and one of the above passwords allows write privileges to the machine, it copies itself to an accessible admin share as ADMIN$\System32\. It then attempts to connect to the target machine using each user name and the following weak passwords: ![]() If this method is unsuccessful, for example, the current user does not have the necessary rights, it instead obtains a list of user accounts on the target machine. ![]() It first attempts to drop a copy of itself in a computer's ADMIN$ share using the credentials of the currently logged-on user. Worm:Win32/Conficker.C attempts to infect machines within the network. The worm patches NETAPI32.DLL in memory to prevent re-infection and further exploitation of the vulnerability addressed by Microsoft Security Bulletin MS08-067.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |