Published: April 15 2009, 06:21 AM
by Zarestel Ferrer

Conficker (aka Downadup) has been very busy!

The graph below is a visualization of the typical network activity seen on individual machines last week as Win32/Waledac was beginning to be pushed to systems infected with Win32/Conficker.C. The impulse is due to the active spamming behaviour of Win32/Waledac.

[Figure 01 – Network Bandwidth]

In a new development, not only has Win32/Waledac has been pushed to Win32/Conficker.C infected systems but also Win32/Conficker.D, a new variant of Conficker. The image below shows the malware files found both in the system process and on the hard-drive of Win32/Conficker.C infected systems. These are detected by CA as follows:

• 938870314.exe as Win32/Conficker.D
• 938930821.exe as Win32/Waledac.KA
• TMP8.tmp as Win32/KillAV.GT

Please note that the filenames are randomly created.

[Figure 02 – Dropped Files]

Win32/Conficker.C’s successful global infection and peer-to-peer protocol implementation definitely demonstrates that it is an effective distribution component for malware.

Now, about the created files:

Win32/KillAV.GT pretends to be a WinPCAP installer whilst in the background it attempts to disable the WinPCAP "NetGroup Packet Filter Driver service" in order to disable the system’s network monitoring system.

[Figure 03 – WinPCAP Process]

However, due to a coding error it does not successfully disable the service.

[Figure 04 – Net Stop NPF not successful]

On the other hand, Win32/Waledac.KA is the same spammer that we already know about. Below is a screen capture of the packet created for sending the spam mails.

[Figure 05 – Win32/Waledac spam]

Please keep your CA security product signatures updated and make sure necessary software updates are applied to your system.

Share this post:  Email

Share