Appendix
1: Embedded Strings Within Conficker C
1. Related
to installation and update mechanisms?
.exe
.dll
explorer.exe
%s\%s.dll
nmqflzhf
c:\abcdefgh.dll
2. Registry Mods and
Services Disablement
\Windows NT
\Windows Media Player
\Internet Explorer
\Movie Maker
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Explorer
Windows Defender
WerSvc
ERSvc
BITS
wuauserv
WinDefend
wscsvc
-k NetworkService
-k netsvcs
svchost.exe
services.exe
rundll32.exe
3. Mutex
Global\%u-%u
Global\%u-7
4. Windows Privilege
References
SeDebugPrivilege
5. DNS
filtering
vet.
sans.
nai.
msft.
msdn.
llnwd.
llnw.
kav.
gmer.
cert.
ca.
bit9.
avp.
avg.
windowsupdate
wilderssecurity
virus
virscan
trojan
trendmicro
threatexpert
threat
technet
symantec
sunbelt
spyware
spamhaus
sophos
secureworks
securecomputing
safety.live
rootkit
rising
removal
quickheal
ptsecurity
prevx
pctools
panda
onecare
norton
norman
nod32
networkassociates
mtc.sri
msmvps
msftncsi
mirage
microsoft
mcafee
malware
kaspersky
k7computing
jotti
ikarus
hauri
hacksoft
hackerwatch
grisoft
gdata
freeav
free-av
fortinet
f-secure
f-prot
ewido
etrust
eset
esafe
emsisoft
dslreports
drweb
defender
cyber-ta
cpsecure
conficker
computerassociates
comodo
clamav
centralcommand
ccollomb
castlecops
bothunter
avira
avgate
avast
arcabit
antivir
anti-
ahnlab
agnitum
wireshark
unlocker
tcpview
sysclean
scct_
regmon
procmon
procexp
ms08-06
mrtstub
mrt.
mbsa.
klwk
kido
kb958
kb890
hotfix
gmer
filemon
downad
confick
avenger
autoruns
6. DLL
Patching
netapi32.dll
NetpwPathCanonicalize
ntdll.dll
NtQueryInformationProcess
Query_Main
DnsQuery_W
DnsQuery_UTF8
dnsapi.dll
DnsQuery_A
ws2_32.dll
sendto
dnsrslvr.dll
wininet.dll
InternetGetConnectedState
kernel32.dll
yc
LoadLibraryExA
NtQueueApcThread
LoadLibraryA
NtSetInformationProcess
SeTakeOwnershipPrivilege
7. Delete System
Restore Points and Domain Extensions
ResetSR
srclient.dll
Zs
vn
vc
us
tw
to
tn
tl
tj
tc
su
sk
sh
sg
sc
ru
ro
ps
pl
pk
pe
no
nl
nf
my
mw
mu
ms
mn
me
md
ly
lv
lu
li
lc
la
kz
kn
is
ir
in
im
ie
hu
ht
hn
hk
gy
gs
gr
gd
fr
fm
es
ec
dm
dk
dj
cz
cx
com.ve
com.uy
com.ua
com.tw
com.tt
com.tr
com.sv
com.py
com.pt
com.pr
com.pe
com.pa
com.ni
com.ng
com.mx
com.mt
com.lc
com.ki
com.jm
com.hn
com.gt
com.gl
com.gh
com.fj
com.do
com.co
com.bs
com.br
com.bo
com.ar
com.ai
com.ag
co.za
co.vi
co.uk
co.ug
co.nz
co.kr
co.ke
co.il
co.id
co.cr
cn
cl
ch
cd
ca
bz
bo
be
at
as
am
ag
ae
ac
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
8. Contact domains to
obtain date?
rapidshare.com
imageshack.us
facebook.com
w3.org
ask.com
yahoo.com
google.com
baidu.com
http://www.%s
?http://%s
%$
sMicrosoft Base Cryptographic Provider v1.0
QSUVWh
QQVW
trSWh'
VVVVVVVj
PhD*
tXSWVP
QQVW3
tMWjIY3
ExQPS
WjIY3
QQSV
RSSSSSSS
PRRRRRR
PSSSSSSSj
PSSSSSSSj
PSSSSSSSj
WSSS
netlog.com
RegCreateKeyExA
yandex.ru
zedo.com
TM
registration
WaitForSingleObject
doubleclick.com
socket
2ch.net
21022
,fr-FR;q=0.5
Works
9. Other
domains
a) auction domains
allegro.pl
ebay.com
ebay.it
ebay.co.uk
ebay.de
b) social networks
hi5.com
odnoklassniki.ru
myspace.com
adultfriendfinder.com
livejournal.com
hyves.nl
xiaonei.com
tagged.com
linkedin.com
vkontakte.ru
icq.com
friendster.com
tuenti.com
badoo.com
studiverzeichnis.com
tianya.cn
conduit.com
ning.com
imeem.com
aim.com
kaixin001.com
mixi.jp
seesaa.net
sonico.com
c) search engine /
media portal
goo.ne.jp
seznam.cz
go.com
yahoo.com
biglobe.ne.jp
rambler.ru
foxnews.com
yahoo.co.jp
rediff.com
terra.com.br
mywebsearch.com
tube8.com
xhamster.com
naver.com
tribalfusion.com
nba.com
msn.com
baidu.com
mail.ru
digg.com
geocities.com
fc2.com
pcpop.com
wikipedia.org
wordpress.com
cricinfo.com
apple.com
mapquest.com
google.com
disney.go.com
ameblo.jp
kooora.com
craigslist.org
bbc.co.uk
pconline.com.cn
live.com
tudou.com
vnexpress.net
soso.com
gougou.com
netflix.com
espn.go.com
answers.com
orange.fr
adobe.com
ask.com
d) file uploads
/blogs
zshare.net
ziddu.com
narod.ru
megaupload.com
thepiratebay.org
metroflog.com
badongo.com
files.wordpress.com
blogfa.com
livedoor.com
ameba.jp
typepad.com
e) banner program
(pay-per-click site)
fastclick.com
adsrevenue.net
clicksor.com
linkbucks.com
paypopup.com
aweber.com
googlesyndication.com
megaclick.com
f) other / media
sharing
sourceforge.net
wikimedia.org
miniclip.com
mininova.org
facebook.com
adultadworld.com
4shared.com
skyrock.com
download.com
youporn.com
nicovideo.jp
youtube.com
bigpoint.com
dell.com
imdb.com
tinypic.com
megaporn.com
rapidshare.com
imagevenue.com
photobucket.com
depositfiles.com
imageshack.us
livejasmin.com
taringa.net
flickr.com
pogo.com
xvideos.com
bebo.com
fotolog.net
multiply.com
xnxx.com
perfspot.com
56.com
pornhub.com
mediafire.com
awempire.com
veoh.com
torrentz.com
metacafe.com
g) domain
registration
co.cc
h) ISP
sakura.ne.jp
ucoz.ru
verizon.net
alice.it
comcast.net
i) games
partypoker.com
10)
Miscellaneous
GET %s HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg%s%s%s%s%s,
*/*
,
application/x-ms-application
, application/vnd.ms-xpsdocument
, application/x-shockwave-flash
, application/xaml+xml
, application/x-ms-xbap
Accept-Language:
%s%s
en-US
,es-US;q=0.5
,es-ES;q=0.5
,de-DE;q=0.5
en-US
,fr-CA;q=0.5
en-GB
US
%sAccept-Encoding:
gzip, deflate
User-Agent: %s
Mozilla/4.0
(compatible; MSIE
;
.NET CLR
; SV1
;
Media Center PC 5.0
;
Windows
Host: %s
Connection: Keep-Alive
HTTP/1.1
Content-Length:
Agent
Installer
Setup
Pages
NT
Live
T0K0
LZ
ntdll.dll
kernel32.dll
ADVAPI32
4322
Video
50727
Resources
Files
Common
Maker
2914
time
Service
assembly
4325
Adobe
Definitions
Tasks
MSVCRT
lZ
NT 5.1
(R
40607
schemas
KERNEL32
Mail
Help
\VarFileInfo\Translation
NT 6.0
x@
Intel
WS2_32
Reports
Offline
Options
LP
98
Profiles
bind
Components
winsxs
Cursors
Boot
New
X3
Inter
3705
6.0
Internet
Microsoft
inf
Kernel
Packages
04506
PLA
LW
Date:
ReadFile
Digital
Fonts
Assemblies
Logs
8Q
Photo
hL
dJ
NT 4.0
Office
VERSION
$Q
msdownld
�F
5.01
XM
Policy
Modem
App
h:
30729
4A
Build
htonl
twain
Mobile
Media
Downloaded
WININET
Web
tracing
Performance
Calendar
Temp
Security
NET
NT 5.0
Microsoft Base Cryptographic Provider v1.0
Games
tmp
{%08X-%04X-%04X-%04X-%08X%04X}
Collaboration
Java
_memicmp
Gallery
Defender
Distribution
Speech
Shell
IME
5.0
Globalization
Journal
MS
Patch
Program
Registered
PB
()
5.5
listen
(Y
Publish
Software
\%d.tmp
Google
URLMON
Explorer
HTTP/1.0
Prefetch
Movie
7.0
Debug
Player
Visual
select
System
Documents
11. Other
API Calls
CryptReleaseContext
GetFileVersionInfoSizeA
getsockname
ntohs
GetModuleFileNameA
GetFileAttributesA
getpeername
send
WSAIoctl
SetFilePointer
GetTempPathA
InternetGetConnectedState
RegOpenKeyExA
closesocket
CreateEventA
CreateThread
WriteFile
RegQueryValueExA
connect
GetVersionExA
FindClose
Sleep
GetModuleHandleA
GetLastError
ExitThread
RegDeleteValueA
DeleteFileA
recv
WSASocketA
htons
ntohl
__WSAFDIsSet
memmove
RegSetValueExA
FindFirstFileA
WSAGetLastError
recvfrom
VerQueryValueA
CryptGenRandom
gethostbyname
FindNextFileA
GetTickCount
ObtainUserAgentString
LoadLibraryA
SystemTimeToFileTime
GetVersion
CryptAcquireContextA
GetSystemTime
CloseHandle
CreateFileA
inet_ntoa
GetTempFileNameA
InterlockedExchange
GetWindowsDirectoryA
LeaveCriticalSection
RegCloseKey
GlobalAlloc
Reference
EnterCriticalSection
InitializeCriticalSection
SetFileAttributesA
GetProcAddress\
sendto
SetEvent
GlobalFree
VirtualAlloc
ioctlsocket
CreateDirectoryA
InternetTimeToSystemTime
GetFileVersionInfoA
accept
MoveFileA
DeleteFileA
GetTempPathA
GetSystemDirectoryA
Sleep
CloseHandle
CreateThread
LockFile
GetFileSize
CreateFileA
GetLocalTime
GetVersion
SetErrorMode
ExitProcess
GetCommandLineA
GetLastError
CreateMutexA
GetComputerNameA
GetCurrentProcessId
DisableThreadLibraryCalls
MoveFileExA
Process32First
CreateToolhelp32Snapshot
ReadFile
CreateFileW
MoveFileExW
DeleteFileW
WideCharToMultiByte
ExpandEnvironmentStringsW
GlobalAlloc
MultiByteToWideChar
TerminateThread
GetExitCodeThread
GetCurrentThreadId
GetVersionExA
WaitForSingleObject
SetLastError
Module32Next
Module32First
ExitThread
SetThreadPriority
VirtualProtect
GetThreadPriority
GetCurrentThread
VirtualFree
VirtualAlloc
GetProcAddress
LoadLibraryA
GetModuleHandleA
GetVolumeInformationA
GetTickCount
QueryPerformanceCounter
GetCurrentProcess
SetFileTime
GetFileAttributesA
GetFileTime
WriteFile
SetEndOfFile
TerminateProcess
OpenProcess
Thread32Next
SuspendThread
OpenThread
GlobalFree
CreateRemoteThread
WriteProcessMemory
VirtualAllocEx
ReadProcessMemory
SetFileAttributesA
CreateProcessA
LocalFree
VirtualQuery
GetTempFileNameA
FreeLibrary
SystemTimeToFileTime
GetSystemTime
GetSystemTimeAsFileTime
RtlUnwind
GetModuleFileNameA
Process32Next
Thread32First
RegCreateKeyExW
RegFlushKey
OpenSCManagerW
EnumServicesStatusW
QueryServiceConfigW
QueryServiceConfig2W
GetNamedSecurityInfoW
SetEntriesInAclW
SetNamedSecurityInfoW
RegEnumKeyExW
RegSetKeySecurity
GetTokenInformation
EqualSid
InitializeSecurityDescriptor
AllocateAndInitializeSid
GetLengthSid
InitializeAcl
AddAccessAllowedAce
SetSecurityDescriptorDacl
SetFileSecurityA
FreeSid
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
OpenServiceA
ControlService
ChangeServiceConfigA
RegSetValueExW
RegOpenKeyExW
RegQueryValueExW
RegCloseKey
OpenSCManagerA
OpenServiceW
CloseServiceHandle
QueryServiceStatus
QueryServiceConfigA
CryptReleaseContext
CryptGenRandom
CryptAcquireContextA
_adjust_fdiv
_initterm
calloc
memcmp
strcat
abs
sin
log
strtok
atoi
wcscpy
wcscat
_wcsdup
malloc
free
memcpy
memset
wcsstr
_snwprintf
wcsncmp
wcsncpy
_wcsnicmp
wcsncat
wcslen
_wcsicmp
_strlwr
strstr
_strnicmp
srand
rand
_snprintf
strrchr
strncpy
strlen
_stricmp
strncat
CoInitializeEx
CoCreateInstance
CoUninitialize
CoInitializeSecurity
SHGetSpecialFolderPathA
SHDeleteValueA
StrStrIW
StrStrIA
SHDeleteKeyW
ObtainUserAgentString
EnumThreadWindows
GetDlgItem
PostMessageA
InternetGetConnectedState
InternetOpenA
InternetOpenUrlA
HttpQueryInfoA
InternetReadFile
InternetCloseHandle
XPTPSW
KERNEL32.DLL
ADVAPI32.dll
MSVCRT.dll
ole32.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
urlmon.dll
USER32.dll
WININET.dll
WS2_32.dll
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
FreeSid
abs
CoInitializeEx
SHGetSpecialFolderPathA
StrStrIW
ObtainUserAgentString
GetDlgItem
InternetOpenA