![]() ![]() Another hint that the action is to run the worm is the text " Publisher not specified". Note that the language in the first option suggests the user could " Open folder to view files" however the option is under " Install or run program", an indication that opening the folder will actually run an application. dll," to activate the copy, as shown in the images below: dll.Īfter remotely infecting a computer, Win32/Conficker.C creates a remotely scheduled job with the command “rundll32.exe. If Win32/Conficker.C successfully accesses the target machine, for example, if a combination of any of the user names and one of the above passwords allows write privileges to the machine, it copies itself to an accessible admin share as ADMIN$\System32\. It then attempts to connect to the target machine using each user name and the following weak passwords: If this method is unsuccessful, for example, the current user does not have the necessary rights, it instead obtains a list of user accounts on the target machine. It first attempts to drop a copy of itself in a computer's ADMIN$ share using the credentials of the currently logged-on user. Worm:Win32/Conficker.C attempts to infect machines within the network. The worm patches NETAPI32.DLL in memory to prevent re-infection and further exploitation of the vulnerability addressed by Microsoft Security Bulletin MS08-067.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |