Worm Virus Download

• Worm Virus Download
• Worm Virus Download
• Download Worm Virus Maker
• Trojan Virus Download Worm
• Trojan Virus Download

Any one can upload virus here with simple uploader. Registered users can search and download viruses in zip package. Viruses are protected with the password 'infected'. So extract the virus executable(exe, msi, pif, bat etc) files from zip package using the password infected. Worm:W32/Conficker.AL is a variant of Worm:W32/Downadup that can spread using three different methods and is capable of hiding its actions on the infected machine, as well as downloading files from remote sites.

A worm is a type of malware that can copy itself and often spreads through a network by exploiting security vulnerabilities. It can spread through email attachments, text messages, file-sharing programs, social networking sites, network shares, removable drives, and software vulnerabilities.

How worms work

Worm Virus Download

Worms represent a large category of malware. Different worms use different methods to infect devices. Depending on the variant, they can steal sensitive information, change security settings, send information to malicious hackers, stop users from accessing files, and other malicious activities.

Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have consistently remained at the top of the list of malware that infects users running Microsoft software. Although these worms share some commonalities, it's interesting to note that they also have distinct characteristics.

• Jenxcus has capabilities of not only infecting removable drives but can also act as a backdoor that connects back to its server. This threat typically gets into a device from a drive-by download attack, meaning it's installed when users just visit a compromised web page.

• Gamarue typically arrives through spam campaigns, exploits, downloaders, social networking sites, and removable drives. When Gamarue infects a device, it becomes a distribution channel for other malware. We've seen it distribute other malware such as info stealers, spammers, clickers, downloaders, and rogues.

• Bondat typically arrives through fictitious Nullsoft Scriptable Install System (NSIS), Java installers, and removable drives. When Bondat infects a system, it gathers information about the machine such as device name, Globally Unique Identifier (GUID), and OS build. It then sends that information to a remote server.

Both Bondat and Gamarue have clever ways of obscuring themselves to evade detection. By hiding what they're doing, they try to avoid detection by security software.

• WannaCrypt also deserves a mention here. Unlike older worms that often spread just because they could, modern worms often spread to drop a payload (like ransomware).

This image shows how a worm can quickly spread through a shared USB drive.

Figure worm spreading from a shared USB drive

How to protect against worms

Enable Microsoft Defender Antivirus in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software.

Download Microsoft Security Essentials for real-time protection in Windows 7 or Windows Vista.

In case threat removal is unsuccessful, read about troubleshooting malware detection and removal problems.

For more general tips, see prevent malware infection.

Worm:W32/Conficker.AL is a variant of Worm:W32/Downadup.A which is able to spread copies of itself over a network using three different methods: file sharing, exploitation of a vulnerability and exploitation of Windows Autorun.

In addition to attempting to connect to remote sites, Conficker.AL uses stealth techniques to hide its actions, and makes a number of changes to the Windows Registry.

More technical information is also available in the related descriptions:

Installation

Upon execution, Downadup creates copies of itself in:

• %System%[Random].dll
• %Program Files%Internet Explorer[Random].dll
• %Program Files%Movie Maker[Random].dll
• %All Users Application Data%[Random].dll
• %Temp%[Random].dll
• %System%[Random].tmp
• %Temp%[Random].tmp

Note: [Random] represents a randomly generated name.

Each file's timestamp is amended to match the timestamp of the %System%kernel32.dll file. The worm then creates autorun entries in the registry, which ensure that a copy of the worm is executed at every system startup.

The worm then attach itself to the following processes:

• svchost.exe
• explorer.exe
• services.exe

Activity

The worm disables a number of system features, in order to facilitate its activities. It disables the following Windows services:

• Windows Automatic Update Service (wuauserv)
• Background Intelligent Transfer Service (BITS)
• Windows Security Center Service (wscsvc)
• Windows Defender Service (WinDefend)
• Windows Error Reporting Service (ERSvc)
• Windows Error Reporting Service (WerSvc)

In addition to disabling these services, it checks to see whether it is running on a Windows Vista machine; if so, it also runs the following command to disable Windows Vista TCP/IP auto-tuning:

• netsh interface tcp set global autotuning=disabled

The worm also hooks the following API's in order to block access when the user attempts to access a long list of domains:

• DNS_Query_A
• DNS_Query_UTF8
• DNS_Query_W
• Query_Main
• sendto

If the user attempts to access the following, primarily security-related domains, their access is blocked:

• virus
• spyware
• malware
• rootkit
• defender
• microsoft
• symantec
• norton
• mcafee
• trendmicro
• sophos
• panda
• etrust
• networkassociates
• computerassociates
• f-secure
• kaspersky
• jotti
• f-prot
• nod32
• eset
• grisoft
• drweb
• centralcommand
• ahnlab
• esafe
• avast
• avira
• quickheal
• comodo
• clamav
• ewido
• fortinet
• gdata
• hacksoft
• hauri
• ikarus
• k7computing
• norman
• pctools
• prevx
• rising
• securecomputing
• sunbelt
• emsisoft
• arcabit
• cpsecure
• spamhaus
• castlecops
• threatexpert
• wilderssecurity
• windowsupdate
• nai
• ca
• avp
• avg
• vet
• bit9
• sans
• cert

Propagation (File Sharing)

To propagate itself, the worm first modifies the following registry entry so that it can spread more rapidly across a network:

• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters'TcpNumConnections' = dword:0x00FFFFFE

The worm uses this driver to speed up its propagation capability, as it modifies the number of half-open connections to a 0x10000000(268435456) in memory, a function implemented in %System%driverstcpip.sys.

It checks for a suitable computer around the network using NetServerEnum, then attempts to log on to any found computer with one of the following login credentials:

• Using the existing credentials of the infected user account; if this account does not have admin privileges on the target machine, this operation will not succeed.
• Acquiring the list of usernames from the targeted computer using NetUserEnum API, then attempting to log on to the targeted computer using the existing user accounts and one of the following passwords:
  • [username]
  • [username][username]
  • [reverse_of_username]
  • 00000
  • 0000000
  • 00000000
  • 0987654321
  • 11111
  • 111111
  • 1111111
  • 11111111
  • 123123
  • 12321
  • 123321
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
  • 1234abcd
  • 1234qwer
  • 123abc
  • 123asd
  • 123qwe
  • 1q2w3e
  • 22222
  • 222222
  • 2222222
  • 22222222
  • 33333
  • 333333
  • 3333333
  • 33333333
  • 44444
  • 444444
  • 4444444
  • 44444444
  • 54321
  • 55555
  • 555555
  • 5555555
  • 55555555
  • 654321
  • 66666
  • 666666
  • 6666666
  • 66666666
  • 7654321
  • 77777
  • 777777
  • 7777777
  • 77777777
  • 87654321
  • 88888
  • 888888
  • 8888888
  • 88888888
  • 987654321
  • 99999
  • 999999
  • 9999999
  • 99999999
  • a1b2c3
  • aaaaa
  • abc123
  • academia
  • access
  • account
  • Admin
  • admin
  • admin1
  • admin12
  • admin123
  • adminadmin
  • administrator
  • anything
  • asddsa
  • asdfgh
  • asdsa
  • asdzxc
  • backup
  • boss123
  • business
  • campus
  • changeme
  • cluster
  • codename
  • codeword
  • coffee
  • computer
  • controller
  • cookie
  • customer
  • database
  • default
  • desktop
  • domain
  • example
  • exchange
  • explorer
  • files
  • foobar
  • foofoo
  • forever
  • freedom
  • games
  • home123
  • ihavenopass
  • Internet
  • internet
  • intranet
  • killer
  • letitbe
  • letmein
  • Login
  • login
  • lotus
  • love123
  • manager
  • market
  • money
  • monitor
  • mypass
  • mypassword
  • mypc123
  • nimda
  • nobody
  • nopass
  • nopassword
  • nothing
  • office
  • oracle
  • owner
  • pass1
  • pass12
  • pass123
  • passwd
  • Password
  • password
  • password1
  • password12
  • password123
  • private
  • public
  • pw123
  • q1w2e3
  • qazwsx
  • qazwsxedc
  • qqqqq
  • qwe123
  • qweasd
  • qweasdzxc
  • qweewq
  • qwerty
  • qwewq
  • root123
  • rootroot
  • sample
  • secret
  • secure
  • security
  • server
  • shadow
  • share
  • student
  • super
  • superuser
  • supervisor
  • system
  • temp123
  • temporary
  • temptemp
  • test123
  • testtest
  • unknown
  • windows
  • work123
  • xxxxx
  • zxccxz
  • zxcvb
  • zxcvbn
  • zxcxz
  • zzzzz

Worm Virus Download

If the worm successfully accesses the network share, it will create a copy of itself to the 'ADMIN$' share as the following:

• [Server Host Name]ADMIN$System32[random filename].[random extension]

It then creates a scheduled daily job on the remote server, in order to execute the following command:

• rundll32.exe [random filename].[random extension], [random]

Propagation (Autorun)

The worm may create the following files on removable and mapped drives:

• %DriveLetter%RECYCLERS-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d[...].[3 random characters]
• %DriveLetter%autorun.inf

The autorun file is used as another vector for distributing copies of the worm; see the description for Worm:W32/Downaduprun.A for additional details.

Propagation (Vulnerability)

The worm is also able to propagate by downloading a copy of itself onto other machines vulnerable to an exploit of the critical MS08-067 vulnerability. To do so, the worm first connects to the following sites to retrieve the system's %ExternalIPAddress%:

• https://checkip.dyndns.org
• https://getmyip.co.uk
• https://www.getmyip.org
• https://www.whatsmyipaddress.com

Next, the worm creates a HTTP server on a random port:

• https://%ExternalIPAddress%:%RandomPort%

Worm Virus Download

Worms represent a large category of malware. Different worms use different methods to infect devices. Depending on the variant, they can steal sensitive information, change security settings, send information to malicious hackers, stop users from accessing files, and other malicious activities.

Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have consistently remained at the top of the list of malware that infects users running Microsoft software. Although these worms share some commonalities, it's interesting to note that they also have distinct characteristics.

• Jenxcus has capabilities of not only infecting removable drives but can also act as a backdoor that connects back to its server. This threat typically gets into a device from a drive-by download attack, meaning it's installed when users just visit a compromised web page.

• Gamarue typically arrives through spam campaigns, exploits, downloaders, social networking sites, and removable drives. When Gamarue infects a device, it becomes a distribution channel for other malware. We've seen it distribute other malware such as info stealers, spammers, clickers, downloaders, and rogues.

• Bondat typically arrives through fictitious Nullsoft Scriptable Install System (NSIS), Java installers, and removable drives. When Bondat infects a system, it gathers information about the machine such as device name, Globally Unique Identifier (GUID), and OS build. It then sends that information to a remote server.

Both Bondat and Gamarue have clever ways of obscuring themselves to evade detection. By hiding what they're doing, they try to avoid detection by security software.

• WannaCrypt also deserves a mention here. Unlike older worms that often spread just because they could, modern worms often spread to drop a payload (like ransomware).

This image shows how a worm can quickly spread through a shared USB drive.

Figure worm spreading from a shared USB drive

How to protect against worms

Enable Microsoft Defender Antivirus in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software.

Download Microsoft Security Essentials for real-time protection in Windows 7 or Windows Vista.

In case threat removal is unsuccessful, read about troubleshooting malware detection and removal problems.

For more general tips, see prevent malware infection.

Worm:W32/Conficker.AL is a variant of Worm:W32/Downadup.A which is able to spread copies of itself over a network using three different methods: file sharing, exploitation of a vulnerability and exploitation of Windows Autorun.

In addition to attempting to connect to remote sites, Conficker.AL uses stealth techniques to hide its actions, and makes a number of changes to the Windows Registry.

More technical information is also available in the related descriptions:

Installation

Upon execution, Downadup creates copies of itself in:

• %System%[Random].dll
• %Program Files%Internet Explorer[Random].dll
• %Program Files%Movie Maker[Random].dll
• %All Users Application Data%[Random].dll
• %Temp%[Random].dll
• %System%[Random].tmp
• %Temp%[Random].tmp

Note: [Random] represents a randomly generated name.

Each file's timestamp is amended to match the timestamp of the %System%kernel32.dll file. The worm then creates autorun entries in the registry, which ensure that a copy of the worm is executed at every system startup.

The worm then attach itself to the following processes:

• svchost.exe
• explorer.exe
• services.exe

Activity

The worm disables a number of system features, in order to facilitate its activities. It disables the following Windows services:

• Windows Automatic Update Service (wuauserv)
• Background Intelligent Transfer Service (BITS)
• Windows Security Center Service (wscsvc)
• Windows Defender Service (WinDefend)
• Windows Error Reporting Service (ERSvc)
• Windows Error Reporting Service (WerSvc)

In addition to disabling these services, it checks to see whether it is running on a Windows Vista machine; if so, it also runs the following command to disable Windows Vista TCP/IP auto-tuning:

• netsh interface tcp set global autotuning=disabled

The worm also hooks the following API's in order to block access when the user attempts to access a long list of domains:

• DNS_Query_A
• DNS_Query_UTF8
• DNS_Query_W
• Query_Main
• sendto

If the user attempts to access the following, primarily security-related domains, their access is blocked:

• virus
• spyware
• malware
• rootkit
• defender
• microsoft
• symantec
• norton
• mcafee
• trendmicro
• sophos
• panda
• etrust
• networkassociates
• computerassociates
• f-secure
• kaspersky
• jotti
• f-prot
• nod32
• eset
• grisoft
• drweb
• centralcommand
• ahnlab
• esafe
• avast
• avira
• quickheal
• comodo
• clamav
• ewido
• fortinet
• gdata
• hacksoft
• hauri
• ikarus
• k7computing
• norman
• pctools
• prevx
• rising
• securecomputing
• sunbelt
• emsisoft
• arcabit
• cpsecure
• spamhaus
• castlecops
• threatexpert
• wilderssecurity
• windowsupdate
• nai
• ca
• avp
• avg
• vet
• bit9
• sans
• cert

Propagation (File Sharing)

To propagate itself, the worm first modifies the following registry entry so that it can spread more rapidly across a network:

• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters'TcpNumConnections' = dword:0x00FFFFFE

The worm uses this driver to speed up its propagation capability, as it modifies the number of half-open connections to a 0x10000000(268435456) in memory, a function implemented in %System%driverstcpip.sys.

It checks for a suitable computer around the network using NetServerEnum, then attempts to log on to any found computer with one of the following login credentials:

• Using the existing credentials of the infected user account; if this account does not have admin privileges on the target machine, this operation will not succeed.
• Acquiring the list of usernames from the targeted computer using NetUserEnum API, then attempting to log on to the targeted computer using the existing user accounts and one of the following passwords:
  • [username]
  • [username][username]
  • [reverse_of_username]
  • 00000
  • 0000000
  • 00000000
  • 0987654321
  • 11111
  • 111111
  • 1111111
  • 11111111
  • 123123
  • 12321
  • 123321
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
  • 1234abcd
  • 1234qwer
  • 123abc
  • 123asd
  • 123qwe
  • 1q2w3e
  • 22222
  • 222222
  • 2222222
  • 22222222
  • 33333
  • 333333
  • 3333333
  • 33333333
  • 44444
  • 444444
  • 4444444
  • 44444444
  • 54321
  • 55555
  • 555555
  • 5555555
  • 55555555
  • 654321
  • 66666
  • 666666
  • 6666666
  • 66666666
  • 7654321
  • 77777
  • 777777
  • 7777777
  • 77777777
  • 87654321
  • 88888
  • 888888
  • 8888888
  • 88888888
  • 987654321
  • 99999
  • 999999
  • 9999999
  • 99999999
  • a1b2c3
  • aaaaa
  • abc123
  • academia
  • access
  • account
  • Admin
  • admin
  • admin1
  • admin12
  • admin123
  • adminadmin
  • administrator
  • anything
  • asddsa
  • asdfgh
  • asdsa
  • asdzxc
  • backup
  • boss123
  • business
  • campus
  • changeme
  • cluster
  • codename
  • codeword
  • coffee
  • computer
  • controller
  • cookie
  • customer
  • database
  • default
  • desktop
  • domain
  • example
  • exchange
  • explorer
  • files
  • foobar
  • foofoo
  • forever
  • freedom
  • games
  • home123
  • ihavenopass
  • Internet
  • internet
  • intranet
  • killer
  • letitbe
  • letmein
  • Login
  • login
  • lotus
  • love123
  • manager
  • market
  • money
  • monitor
  • mypass
  • mypassword
  • mypc123
  • nimda
  • nobody
  • nopass
  • nopassword
  • nothing
  • office
  • oracle
  • owner
  • pass1
  • pass12
  • pass123
  • passwd
  • Password
  • password
  • password1
  • password12
  • password123
  • private
  • public
  • pw123
  • q1w2e3
  • qazwsx
  • qazwsxedc
  • qqqqq
  • qwe123
  • qweasd
  • qweasdzxc
  • qweewq
  • qwerty
  • qwewq
  • root123
  • rootroot
  • sample
  • secret
  • secure
  • security
  • server
  • shadow
  • share
  • student
  • super
  • superuser
  • supervisor
  • system
  • temp123
  • temporary
  • temptemp
  • test123
  • testtest
  • unknown
  • windows
  • work123
  • xxxxx
  • zxccxz
  • zxcvb
  • zxcvbn
  • zxcxz
  • zzzzz

Worm Virus Download

If the worm successfully accesses the network share, it will create a copy of itself to the 'ADMIN$' share as the following:

• [Server Host Name]ADMIN$System32[random filename].[random extension]

It then creates a scheduled daily job on the remote server, in order to execute the following command:

• rundll32.exe [random filename].[random extension], [random]

Propagation (Autorun)

The worm may create the following files on removable and mapped drives:

• %DriveLetter%RECYCLERS-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d[...].[3 random characters]
• %DriveLetter%autorun.inf

The autorun file is used as another vector for distributing copies of the worm; see the description for Worm:W32/Downaduprun.A for additional details.

Propagation (Vulnerability)

The worm is also able to propagate by downloading a copy of itself onto other machines vulnerable to an exploit of the critical MS08-067 vulnerability. To do so, the worm first connects to the following sites to retrieve the system's %ExternalIPAddress%:

• https://checkip.dyndns.org
• https://getmyip.co.uk
• https://www.getmyip.org
• https://www.whatsmyipaddress.com

Next, the worm creates a HTTP server on a random port:

• https://%ExternalIPAddress%:%RandomPort%

Creating the HTTP server allows the malware to send out specially crafted packets (exploit code) from the infected machine to other machines. If the exploit is successful, the targeted machine is forced to download a copy of the malware from the first infected machine.

The downloaded malware has one of the following extensions:

• bmp
• gif
• jpeg
• png

It then hooks NetpwPathCanonicalize API in order to avoid exploiting the vulnerability further.

Downloads

Downadup is capable of downloading files onto the infected system. First, the worm connects to one of the following domains to obtain the current system date:

• ask.com
• baidu.com
• google.com
• w3.org
• yahoo.com

The obtained system date is used to generate a list of domains where the malware can download additional files.

It then verifies whether the current date is at least 1 January 2009. If so, it downloads and execute files from:

• https://%PredictableDomainsIPAddress%/search?q=%d

Note: %PredictableDomainsIPAddress% is the domain generated based on the system date.

The downloaded file has the format:

• [random].tmp

Registry Changes

The worm deletes a number of keys from the registry, in order to deactivate the Security Center Notifications and prevent Windows Defender from starting. It also bypasses the Windows Firewall by creating the following registry entry, so that the system can download a copy of the worm:

• HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileGloballyOpenPortsList, [PortNumber]:TCP = '[PortNumber]:TCP:*Enabled:[random]'

Stealth

To hide its presence in the system, the worm deletes any System Restore points created by the user, then modifies the following registry keys:

• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionexplorerAdvancedFolderHiddenSHO WALLCheckedValue = dword:00000000
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvcHost, netsvcs = %Previous data% and %Random%

During infection, the worm may create a temporary (TMP) file in the the System or Temp folders. The TMP file created is registered as a service kernel driver using the following registry entry:

• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices[random]Type = dword:00000001Start = dword:00000003ErrorControl = dword:00000000ImagePath = '...%MalwarePath%[random].tmp'DisplayName = [Random]

Once the key is created, the file %MalwarePath%[random].tmp is deleted.

An interesting change the worm makes to the registry involves the following registry entries:

Download Worm Virus Maker

• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices DisplayName = %ServiceName% Type = dword:00000020 Start = dword:00000002 ErrorControl = dword:00000000 ImagePath = '%SystemRoot%system32svchost.exe -k netsvcs' ObjectName = 'LocalSystem' Description = %description%
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices[random]ParametersServiceDll = %MalwarePath%

Trojan Virus Download Worm

In these entries, %ServiceName% represents a two word combination taken from the following list:

Trojan Virus Download

• Boot
• Center
• Config
• Driver
• Helper
• Image
• Installer
• Manager
• Microsoft
• Monitor
• Network
• Security
• Server
• Shell
• Support
• System
• Task
• Time
• Universal
• Update
• Windows