1. Username Login in Active Directory (AD) Windows locked. So although locked and open with admin, but lock again..
2. Get error message from Generic Host Process.
3. Can’t open site like www.microsoft.com, www.symantec.com, www.norman.com, www.clamav.com, www.grisoft.com, www.avast.com and www.eset.com with message “Address not Found”
4. Can’t acces update database antivirus.
5. A lot of application doesn’t work. Especially application utilize network and use port 1024 s/d port 10.000
.
In this article provide commentary on the action this virus and how to remove them.But the virus Conficker quite intelligent and have the ability to update itself and has a very special payload make the antivirus tools to create killing himself
Norman Security Suite detects new virus variants as W32/Conficker.DV page, while other antivirus detects as Win32.Kido.CG (Kaspersky), W32.Downadup.B (Symantec), W32.Downadup.AL (F-Secure), W32 . Conficker.B (Microsoft), W32.Conficker.A (CA, Sophos and McAfee), Worm_Downad.AD (Trend Micro) and W32/Conficker.C (Panda). (see picture 1)
Picture 1, Norman Security Suite detects as W32/Conficker.DVCharacteristics File Virus
Conficker.DV have a virus file in the compressed through UPX. File virus file size 162 kb. File viruses that enter bertipe picture (gif, jpeg, bmp, png). While the file is active generally bertype "dll" (dynamic link library).
File virus that will try to enter the temporary location on the internet:
- %Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\[%random name%].[%gif,jpeg,bmp,png%]
- %Documents and Settings\[%user%]\Local Settings\Temporary Internet Files\[%gif,jpeg,bmp,png%]
If the file that the virus entered successfully executed, the virus will copy itself in one of the following folder location:
- %Documents and Settings%\[%user%]\Application Data\[% random name %].dll
- %Program Files%\Internet Explorer\[% random name %].dll
- %Program Files%\Movie Maker\[% random name %].dll
- %WINDOWS%\system32\[% random name %].dll
- %WINDOWS%\Temp\[% random name %].dll
File "dll" this is an active and participate with svchost.exe (Windows Server Service) to make back the spread of virus.
This virus can copy file “[%random name%].tmp” in folder %WINDOWS%\system32 (example : 01.tmp atau 06.tmp). After using the page file, and the virus file deleted page.
Symptoms / Virus Effect
If W32/Conficker.DV already infected, the virus will cause symptoms / effects following:
- If the previous variants kill service “Workstation, Server dan Windows Firewall / Internet Connection Sharing (ICS)”. But this time the virus tries to shut down and disable some service, namely : (see picture 2)
•wscsvc : Security Center
•wuauserv : Automatic Updates
•BITS : Background Intellegent Transfer Service
•ERSvc : Error Reporting Service
•WerSvc : Windows Error Reporting Service (Vista, Server 2008)
•WinDefend : Windows Defender (Vista, Server 2008)
Picture 2, Action Conficker virus kill many service in Windows
- The virus is able to block the application programs to run when you access the website containing the following string :
Ccert.
sans.
bit9.
windowsupdate
wilderssecurity
threatexpert
castlecops
spamhaus
cpsecure
arcabit
emsisoft
sunbelt
securecomputing
rising
prevx
pctools
norman
k7computing
ikarus
hauri
hacksoft
gdata
fortinet
ewido
clamav
comodo
quickheal
avira
avast
esafe
ahnlab
centralcommand
drweb
grisoft
nod32
f'prot
jotti
kaspersky
f'secure
computerassociates
networkassociates
etrust
panda
sophos
trendmicro
mcafee
norton
symantec
microsoft
defender
rootkit
malware
spyware
virus
The virus is able to block the application programs to run when you access the website containing the following string.
- The virus tries to make changes in the system Windows Vista / Server 2008 using the command :
“netsh interface tcp set global autotuning=disabled”
With this command, the windows auto-tuning will be in there. Windows Auto-Tuning is one of the features of Windows Vista and Server 2008 which is very useful to improve the performance when trying to access the network. More info on http://support.microsoft.com/kb/947239
- The virus tries to download and execute files (bmp, gif, jpeg, png) and the temporary entrance on the internet. Virus to download on some website the following :
aaidhe.net
aamkn.cn
abivbwbea.info
aiiflkgcw.cc
alfglesj.info
amcfussyags.net
amzohx.ws
apaix.ws
argvss.info
arolseqnu.ws
asoidakm.cn
atnsoiuf.cc
avweqdcr.cn
axaxmhzndcq.cc
barhkuuu.com
bbuftxpskw.cc
bdykhlnhak.cc
bdzpfiu.biz
bijkyilaugs.cn
bjpmhuk.ws
bmmjbsjidmt.com
bzagbiwes.cc
carse.cn
cauksxf.biz
cfhlglxofyz.biz
cinsns.cc
ciynbjwm.com
cljivsb.biz
cpeadyepcis.biz
cqnxku.ws
ctmchiae.ws
cxjsy.net
czkdu.net
dbffky.cn
dgbdjsb.com
drpifjfxlyl.ws
dtosuhc.org
duahpzq.org
dwrtwgsm.cn
dyjomzyz.com
earuldx.cn
egqoab.net
egxbsppn.cn
ehkvku.cn
elivvks.net
emxmg.info
eobvidij.org
erwojl.org
evqvmwgw.cn
ewioygq.biz
exxkvcz.cc
ffaqk.info
fhlwov.net
fitjg.net
fkhbumne.info
fknacmvowib.cn
fmdsqasqm.net
fmgcjv.cn
fpljpuqp.info
fsrljjeemkr.info
fthil.cc
ftphtsfuv.net
gbgklrka.cc
gbmkghqcqy.net
gbxyu.ws
gezjwr.biz
gjbwolesl.info
glkzckadwu.biz
gmvhjp.ws
gsvrglz.cc
gutvjbektzq.com
gwtqx.cn
hbyzvpeadkb.net
hewdw.ws
hjcxnhtroh.cn
hltowx.com
hqjazhyd.com
hrmirvid.com
hudphigb.org
hvagbqmtxp.info
idvgqlr.ws
ihnvoeprql.biz
iidqkzselpr.com
ijthszjlb.com
iklzskqoz.cn
iqgnqt.org
iqrzamxo.ws
isjjlnv.org
iudqzypn.cn
iyfcmcaj.cn
jayrocykoj.ws
jffhkvhweds.cn
jfxcvnnawk.org
jgrftgunh.org
jguxjs.net
jhanljqti.cc
jhvlfdoiyn.biz
jjhajbfcdmk.net
jkisptknsov.biz
jknxcxyg.net
jlouqrgb.org
jpppffeywn.cc
jradvwa.biz
juqsiucfrmi.net
jvnzbsyhv.org
jxnyyjyo.net
kaonwzkc.info
kdcqtamjhdx.ws
kgeoaxznfms.biz
kihbccvqrz.net
kimonrvh.org
kjsxwpq.ws
kkrxwcjusgu.cn
knqwdcgow.ws
koaqe.cc
kodzhq.org
kqjvmbst.net
kufvkkdtpf.net
kxujboszjnz.ws
lagcrxz.cc
lawwb.com
lbdfwrbz.net
ljizrzxu.cc
lmswntmc.biz
lotvecu.com
lplsebah.cn
lxhmwparzc.ws
lyamwnhh.info
mciuomjrsmn.cn
mdntwxhj.cn
meqyeyggu.cc
mfigu.cn
mimdezm.biz
mkdsine.cn
mmtdsgwfa.net
mouvmlhz.cc
mozsj.biz
mpqzwlsx.ws
msvhmlcmkmh.biz
mtruba.ws
myrmifyuqo.biz
naucgxjtu.ws
ncwjlti.cn
nertthl.net
nnxqqmdl.info
nuxtzd.cn
nxvmztmryie.ws
nybxvgb.net
nzsrgzmhay.net
oadscrk.org
oezepyh.info
ojrswlg.net
olgjkxih.org
omqxqptc.ws
ooudifyw.cn
opkawiqb.cn
oqsfz.ws
orvfkx.cc
otoajxfn.net
oxeeuikd.net
oyezli.com
pfath.info
plsexbnytn.com
poplie.cc
psbdfflh.cn
qfmbqxom.ws
qjvtczqu.com
qpcizvlvio.biz
qslhoks.cn
qtcnfvf.biz
qtsnk.cn
qzktamrsgu.cn
rbhixtifxk.cc
rccoq.net
rgievita.ws
rlrbqpxv.org
rozhtnmoudg.cc
rpsctacalyd.cn
rrmkv.com
rtpuqxp.net
rtztoupc.net
satmxnz.ws
sbtalilx.com
sdjnaeoh.cc
sirkqq.org
sjkkfjcx.biz
sjkxyjqsx.net
stmsoxiguz.net
tdeghkjm.biz
tkhnvhmh.biz
tmdoxfcc.org
torhobdfzit.cc
trdfcxclp.org
tscmbj.net
tuwcuuuj.com
txeixqeh.biz
uazwqaxlpq.info
ubxxtnzdbij.com
ucnfehj.org
uekmqqedtfm.com
uhtmou.ws
uhveiguagm.biz
uoieg.ws
uttcx.net
uyhgoiwswn.cc
uyvtuutxm.cn
vfxifizf.info
vupnwmw.biz
vzqpqlpk.ws
waeqoxlrprp.org
wdrvyudhg.cc
wediscbpi.org
whgtdhqg.net
wkstxvzr.org
wmrgzac.info
wnwqphzao.info
wsajx.com
wskzbakqfvk.org
wtngipaynh.info
wumvjpbbmse.cc
wuzunxevor.info
wwftlwlvm.org
xcncp.info
xeeuat.com
xhazhbir.biz
xjnyfwt.org
xlrqvoqmsxz.info
xqgbn.cn
xwrrxwmo.cc
xxabrkhb.cc
xxmgkcw.cc
xxxxgvtaa.com
xzoycphicpk.com
ybbfrznr.info
ycceqdmm.cc
ydxnochqn.org
ygmwharv.info
ylnytttckyc.com
yuvudlsdop.cc
ywhaunsyez.cc
ywxdggnaaad.org
zindtsqq.ws
zkywmqx.com
zoosmv.info
zqekqyq.cn
zqked.org
zsatn.ws
ztgsd.info
ztioydng.com
zzczpujz.biz
- The virus will check for internet connection and download files to adjust the date after January 1, 2009. To check for the virus in the next few website :
baidu.com
google.com
yahoo.com
msn.com
ask.com
w3.org
aol.com
cnn.com
ebay.com
msn.com
myspace.com
- The virus will create a firewall rule on the gateway to create a local network from outside attack and get connected address external IP Address is infected through a variety of ports (1024 to 10000).
See picture 3 and 4.
Picture 3, Conficker will open access from outside the firewall with a set of Windows.
Picture 4, Conficker to open a random port in order to update itself to the internet
- The virus will create a service with the following characteristics, in order to run automatically at start-up windows : (lihat gambar 5)
Service name: "[%random name%].dll"
Path to executable: %System32%\svchost.exe -k netsvcs
And by using a combination of some of the string that appears in the following description of service (usually a combination of 2 strings example “Security Windows”) :
Boot, Center, Config, Driver, Helper, Image, Installer, Manager, Microsoft, Monitor, Network, Security, Server, Shell, Support, System, Task, Time, Universal, Update, Windows
Picture 5, the Services created a virus that can be run automatically when Windows start.
- Virus makes HTTP Server on a random port:
Http://%ExternalIPAddress%:%Random Port(1024-10000)%
Virus connect to some website to get the address of the external IP Address is infected :
- http://www.getmyip.org
- http://www.whatsmyipaddress.com
- http://getmyip.co.uk
- http://checkip.dyndns.org
- Virus to create a Scheduled task to run a virus file in the copy with the command :
“rundll32.exe .[%random extension%], [%random]”
Distribution Method
Virus Conficker.DV also use the distribution method that is different from preceding, including the following:
1) Network Shares (Brute Force Attack)
The virus tries to access the network using a slit windows "Default Share" (ADMIN $ \ system32) with the administrator password. Virus using the "Dictionary" password with the following string :
000
0000
00000
0000000
00000000
0987654321
111
1111
11111
111111
1111111
11111111
123
123123
12321
123321
1234
12345
123456
1234567
12345678
123456789
1234567890
1234abcd
1234qwer
123abc
123asd
123qwe
1q2w3e
222
2222
22222
222222
2222222
22222222
321
333
3333
33333
333333
3333333
33333333
4321
444
4444
44444
444444
4444444
44444444
54321
555
5555
55555
555555
5555555
55555555
654321
666
6666
66666
666666
6666666
66666666
7654321
777
7777
77777
777777
7777777
77777777
87654321
888
8888
88888
888888
8888888
88888888
987654321
999
9999
99999
999999
9999999
99999999
a1b2c3
aaa
aaaa
aaaaa
abc123
academia
access
account
Admin
admin
admin1
admin12
admin123
adminadmin
administrator
anything
asddsa
asdfgh
asdsa
asdzxc
backup
boss123
business
campus
changeme
cluster
codename
codeword
coffee
computer
controller
cookie
customer
database
default
desktop
domain
example
exchange
explorer
file
files
foo
foobar
foofoo
forever
freedom
fuck
games
home
home123
ihavenopass
Internet
internet
intranet
job
killer
letitbe
letmein
login
Login
lotus
love123
manager
market
money
monitor
mypass
mypassword
mypc123
nimda
nobody
nopass
nopassword
nothing
office
oracle
owner
pass
pass1
pass12
pass123
passwd
password
Password
password1
password12
password123
private
public
pw123
q1w2e3
qazwsx
qazwsxedc
qqq
qqqq
qqqqq
qwe123
qweasd
qweasdzxc
qweewq
qwerty
qwewq
root
root123
rootroot
sample
secret
secure
security
server
shadow
share
sql
student
super
superuser
supervisor
system
temp
temp123
temporary
temptemp
test
test123
testtest
unknown
web
windows
work
work123
xxx
xxxx
xxxxx
zxccxz
zxcvb
zxcvbn
zxcxz
zzz
zzzz
zzzzz
Note: If the domain is done in the settings for the account lock, then the virus in an effort to try to login a few times will cause the user account is lost in the domain account and a lock/locks.
If successful, the virus will copy itself using the name of the following random
\\[%IP or hostname%]\ADMIN$\system32\[%random name%].[%random extension%]
Then create a Scheduled task to run a virus file that is in the page with the copy command :
rundll32.exe .[%random extension%], [%random%]
2) Removable Drives
Virus Conficker.DV also create a file on removable media such as USB (flash, Harddisk, Card Reader, etc.). Save the file the virus hidden in the root drive, ie :
- Autorun.inf
- RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx
3) Exploitation slit windows security
Similar to the preceding, the virus tries mengexploitasi MS08-067 (slit windows security, Windows Server Service or SVCHOST.exe). Many users are not infected because of the Automatic Updates feature and do not patch Windows MS08-067.
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
Modification Registry
To be able to run the current computer, the virus makes the following string :
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
%random name% = rundll32.exe [%locate virus file%], %random name%
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%random name% = rundll32.exe [%locate virus file%], %random name%
In addition, the virus makes the following string :
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets
dl = 0
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets
ds = 0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets
dl = 0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets
ds = 0
A virus can disable some service by creating the following string :
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
Start = 4
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc
Start = 4
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc
Start = 4
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend
Start = 4
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
Start = 4
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
Start = 4
In addition, the virus makes new service by creating the following string :
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[%Random Name%]
DisplayName = [%Combined 2 String%]
Type = 32
Start = 2
ErrorControl = 0
ImagePath = %SystemRoot%system32\svchost.exe -k netsvcs
ObjectName = LocalSystem
Description = [%Random Description%]
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[%Random Name%]\Parameters
ServiceDll = [%virus location%]
To be able to spread quickly in the network, the virus makes the following string :
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TcpNumConnections = 0x00FFFFFE
Finally, the virus tries to hide a virus file to create the following string :
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden = 0
SuperHidden = 0
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue = 0
Cleaning Virus
Disconnect the computer that will be cleared from the network / internet.
Turn off system restore (Windows XP / Vista).
Turn off the virus is active in the services. Use the removal tool from Norman to clean the virus is active. (see picture 6)
http://download.norman.no/public/Norman_Malware_Cleaner.exe
Picture 6, Use Norman Malware Cleaner for cleaning active virus
Delete service fake svchost.exe on registry. You can search manual on registry (see picture 7)
Picture 7, Delete active proccess fake svchost.exe
Delete Schedule Task created by the virus. (C:\WINDOWS\Tasks)
Remove the registry string is created by the virus. To make the script can use the registry under this :
[Version]
Signature="$Chicago$"
Provider=Vaksincom Oyee
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, Hidden, 0x00000001,1
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, SuperHidden, 0x00000001,1
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, CheckedValue, 0x00000001,1
HKLM, SYSTEM\CurrentControlSet\Services\BITS, Start, 0x00000002,2
HKLM, SYSTEM\CurrentControlSet\Services\ERSvc, Start, 0x00000002,2
HKLM, SYSTEM\CurrentControlSet\Services\wscsvc, Start, 0x00000002,2
HKLM, SYSTEM\CurrentControlSet\Services\wuauserv, Start, 0x00000002,2
[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Applets, dl
HKCU, Software\Microsoft\Windows\CurrentVersion\Applets, ds
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Applets, dl
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Applets, ds
HKLM, SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, TcpNumConnections
Use notepad, then save with the name "repair.inf" (use the Save As Type option to be All Files to avoid an error occurred).
Repair.inf run with the right-click and select install.
Note : For the active file on startup, you can disable through "msconfig" or can manually delete the string :
“HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
Tidak ada komentar:
Posting Komentar