INF Conficker Virus: Exploits's Microsoft's Autorun Vulnerability

Finn Orfano
Categories : Smb security ,Computing
Tags : Computing smb security topics network security

Page content

Description

INF/Conficker is similar to W32/Conficker virus and can be referred to as its variant. It exploits the Microsoft’s longest un-patched Autorun vulnerability which Microsoft claims to be a windows feature and downloads malicious content on the infected computer system. Although, INF/Conficker comes under the category of virus, but it has been sub-categorized as a worm since, it exploits the windows vulnerability to infect computer systems.

Risk Assessment

Home Users – LOW

Corporate Users – LOW

Virus Characteristics

Filename: Autorun.inf

Type: Worm

Detection: Conficker.worm!inf

Length: variable length

Symptoms

Autorun.inf file present in every removable media attached to the computer or in a network drive.

How it Works

INF/Conficker exploits the Microsoft’ Autorun feature to spread itself on local as well as remote computers, i.e. computers connected in a network. It drops an Autorun.inf file to the root of every removable media connected to the computer and to the mapped network drives. It then executes the code written inside the Autorun.inf file to download other malicious files on the computer to infect it with worms and viruses. The malicious content is downloaded with the help of remote servers that have already been setup for such activities.

The size of the Autorun.inf file is of variable length and sometimes, the file attributes have been set to as S (system) and H (hidden). Since, the windows default settings have been set to “Do not show system and hidden files”; this worm remains unnoticeable by the user and can only be detected with the help of an antivirus.

The content of the Autorun.inf file is something similar to this.

shelLExECUte=RuNdLl32.EXE .\RECYCLER\S-x-x-xx-2819952290-8240758988-879315005-xxx\jwgkvsq.vmx,ahaezedrn

Upon execution of the Autorun.inf file, the computer is infected with the malicious content downloaded from remote servers. As the INF/Conficker worm is injected locally, it doesn’t exploit the MS08-067 vulnerability. So, if you have patched the system to overcome the MS08-067 vulnerability, you will not be able to stop this worm from execution.

Removal Instructions

If you suspect your computer system to be infected by INF/Conficker worm, and you have found traces of Autorun.inf file, then as a first step search the entire drive for Autorun.inf file using the windows search feature and delete all the Autorun.inf files. Next, you must perform a complete scan of your system using good antivirus software. I recommend using McAfee & ESET NOD32. These are my preferred and trusted software’s, you can scan using yours.