Détails du virusConficker.C

Conficker.C is designed to spread by exploiting a vulnerability in the Windows Server Service which allows remote code execution. It is the vulnerability MS08-067.

Additionally, Conficker.C carries out the following actions:

• It checks the system date in the following web addresses:
  Ask.com
  Google.com
  Baidu.com
  Yahoo.com
  W3.org
  and if the system date is after January 1, 2009, it will attempt to connect to a website in order to download a malicious executable file. The website to which it connects varies depending on the system date.
• It disables the following services:
  - Windows update, disabling the Windows updates.
  - BITS (Background Intelligent Transfer Service), which is a service to transfer Windows files.
  - Error reporting service, which allows to send Microsoft information about errors occurring in the operating system, Windows components and programs.
• It prevents the user and the computer from connecting to the websites that contain any of the following text strings:
  ahnlab
  arcabit
  avast
  avg
  avira
  avp
  bit9
  ca
  castlecops
  centralcommand
  cert
  clamav
  comodo
  computerassociates
  cpsecure
  defender
  drweb
  emsisoft
  esafe
  eset
  etrust
  ewido
  fortinet
  f-prot
  f-secure
  gdata
  grisoft
  hacksoft
  hauri
  ikarus
  jotti
  k7computing
  kaspersky
  malware
  mcafee
  microsoft
  nai
  networkassociates
  nod32
  norman
  norton
  panda
  pctools
  prevx
  quickheal
  rising
  rootkit
  sans
  securecomputing
  sophos
  spamhaus
  spyware
  sunbelt
  symantec
  threatexpert
  trendmicro
  vet
  virus
  wilderssecurity
  windowsupdate
  As they are security related websites, the antivirus programs could not be updated and the user could not access the information of these pages.
• It modifies the security policies of the user accounts. In order to access the user accounts, it uses the following weak passwords:
  0123456789
  00000, 0000000, 00000000, 0987654321, 11111, 111111, 1111111, 11111111, 123123, 12321, 123321, 12345, 123456, 1234567, 12345678, 123456789, 1234567890, 1234abcd, 1234qwer, 123abc, 123asd, 123qwe, 1q2w3e, 22222, 222222, 2222222, 22222222, 33333, 333333, 3333333, 33333333, 44444, 444444, 4444444, 44444444, 54321, 55555, 555555, 5555555, 55555555, 654321, 66666, 666666, 6666666, 66666666, 7654321, 77777, 777777, 7777777, 77777777, 87654321, 88888, 888888, 8888888, 88888888, 987654321, 99999, 999999, 9999999, 99999999.
  A
  a1b2c3, aaaaa, abc123, academia, access, account, Admin, admin, admin1, admin12, admin123, adminadmin, administrator, anything, asddsa, asdfgh, asdsa, asdzxc.
  
  B
  backup, boss123, business.
  
  C
  campus, changeme, cluster, codename, codeword, coffee, computer, controller, cookie, customer.
  
  D
  database, default, desktop, domain.
  
  E
  example, exchange, explorer.
  
  F
  files, foobar, foofoo, forever, freedom.
  
  G
  games.
  
  H
  home123.
  
  I
  ihavenopass, Internet, internet, intranet.
  
  K
  killer.
  
  L
  letitbe, letmein, Login, login, lotus, love123.
  
  M
  manager, market, money, monitor, mypass, mypassword, mypc123.
  
  N
  nimda, nobody, nopass, nopassword, nothing.
  
  O
  office, oracle, owner.
  
  P
  pass1, pass12, pass123, passwd, Password, password, password1, password12, password123, private, public, pw123.
  
  Q
  q1w2e3, qazwsx, qazwsxedc, qqqqq, qwe123, qweasd, qweasdzxc, qweewq, qwerty, qwewq.
  
  R
  root123, rootroot.
  
  S
  sample, secret, secure, security, server, shadow, share, student, super, superuser, supervisor, system.
  
  T
  temp123, temporary, temptemp, test123, testtest.
  
  U
  unknown.
  
  W
  windows, work123.
  
  X
  xxxxx.
  
  Z
  zxccxz, zxcvb, zxcvbn, zxcxz, zzzzz.