{
	"id": "2d01b56a-e02d-4e9f-8052-23b1c60a78c1",
	"created_at": "2026-04-06T00:17:17.540183Z",
	"updated_at": "2026-04-10T03:20:54.618069Z",
	"deleted_at": null,
	"sha1_hash": "d3c982ab8fefbfb4a303045738b66de630f41f88",
	"title": "malware-analysis-writeups/Conficker/Conficker.md at main · itaymigdal/malware-analysis-writeups",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1170726,
	"plain_text": "malware-analysis-writeups/Conficker/Conficker.md at main ·\r\nitaymigdal/malware-analysis-writeups\r\nBy itaymigdal\r\nArchived: 2026-04-05 14:01:15 UTC\r\nMalware Name File Type SHA256\r\nConficker x32 dll a30b63e1ed900d3f223277b1d3b09b045abc85600da0d3102fa61fb2bfc2ff99\r\nIntro\r\nAlmost 15 years old ago, a worm named Conficker did a LOT of trouble. to this day, there are some Windows\r\nenvironments (mainly XP based networks) which are still infected with this piece of code (brilliant code for 2008).\r\nWith millions of infections all over the world, 5 variations, and a lot of damage, some say this is the most\r\nremarkable worm that was ever made.\r\nSo i took it for a ride in my lab.\r\nAnalysis process\r\nI first encountered that worm when i received a Disk On Key with an autorun.inf file and weird file with\r\nsuspicious extension jwgkvsq.vmx which both were super infected in AV engines. Any time an infected DOK\r\ninserted into a computer, it pops up this window:\r\nThis is a very nice social engineering trick, the autorun.inf is disguised as the explorer icon and caption (look\r\nat the duplicated explorer actions, one under \"Install or run a program\" - which invoking the autorun.inf , and\r\nthe other under \"General options\" - the benigh one). Observing the autorun file:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Conficker/Conficker.md\r\nPage 1 of 10\n\nWe see a lot of shity unclear randomness which not clear if this is obfuscation or a binary. By scrolling down (how\r\ndown? line 1227) some few strings are exposed inside this sea of garbage:\r\nCleaning it up:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Conficker/Conficker.md\r\nPage 2 of 10\n\nThe first line bind the autorun.inf to explorer icon. The second line executes the other file using Rundll32.exe\r\nwhich invokes a gibberish export function (actually, this method isn't even exist in jwgkvsq.vmx dll. before\r\nvalidating the export name - DllMain is called).\r\nOpening jwgkvsq.vmx in Pestudio:\r\nFirst stage is packed by UPX. unpacking:\r\nFor my convenience, here i converted the dll to exe (the tool just changed a single bit in PE header):\r\nEntropy is 8 so the file is still packed:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Conficker/Conficker.md\r\nPage 3 of 10\n\nWe will try to unpack it later, for now let's run the file under Procmon to get a general idea of the file operations.\r\nThe file is very noisy and many operation were seen.\r\nThe file persists itself in a run key:\r\nDeletes Windows Defender from run key:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Conficker/Conficker.md\r\nPage 4 of 10\n\nResets the TCP receive window using Netsh.exe (not sure exactly why, but it's part of the setup for the upcoming\r\nBrute Force).\r\nProbes for live hosts in the internal network by trying to connect to their SMB share:\r\nIn this part i started to debug the file under debugger in order to unpack it. Even though this is an old malware and\r\nfair to think that it is lacking protections, it's not true. it contains polymorphism, obfuscation and anti-analysis\r\ntricks. after some struggling with it and at least 5 VirtualAlloc , I saw a PE file that was written to a newly\r\nallocated memory:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Conficker/Conficker.md\r\nPage 5 of 10\n\nThe file was in its mapped format (reference), and for some reason i was unable to unmap it to its raw format,\r\ntrying various methods. i suspect that the reason is because the PE headers were corrupted in some way. So in\r\nsome point i gave up the unmapping, and moved on to the very JUICY strings armed with my prior knowledge on\r\nConficker actions.\r\nFirst were the autorun.inf strings which were written to every Disk on Key that inserted to an infected\r\nmachine:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Conficker/Conficker.md\r\nPage 6 of 10\n\nThen there are a big list of security producs and related names, which will compared against each DNS lookup the\r\nhost makes, and if the DNS request contains any of these words, the request will be blocked! that is done by\r\nhooking the DNS library in every process!!\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Conficker/Conficker.md\r\nPage 7 of 10\n\nIt also has the ability to retrieve the external IP address of the machine by quering each of those sites:\r\nAnd there is the password list (part of it, it's longer):\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Conficker/Conficker.md\r\nPage 8 of 10\n\nSpreading\r\nThe worm spreads itself by 3 mechanisms:\r\n1. By Brute Forcing SMB shares using the password list. when it guesses the right password, it writes the\r\npayload to the remote share and runs it by creating a remote service.\r\n2. By Infecting DOKs and removable drives.\r\n3. By ms08-067, which is being exploited heavily by it. for that, the worm creates a local HTTP server on the\r\ninfected machine, which serves the payload for any host that is exploited successfuly.\r\nMore capabilities which not discussed\r\n1. The worm contains a DGA algorithm (explained here).\r\n2. The worm changes TCP settings, like the allowed current TCP connections, in order to optimize the Brute\r\nForce process.\r\n3. The worm shuts down system services, like Windows Defender and Background Intelligent Transfer\r\nService to disrupt automatic updates and protections.\r\n4. The worm injects itself to system services like Explorer.exe and Svchost.exe .\r\n5. The worm deletes the System Restore Points.\r\n6. The worm contains anti-analysis, anti-sandbox and anti-vm capabilities, and a lot of obfuscation and\r\n\"spaghetti code\".\r\nConclusion\r\nConficker is a sophisticated, contagious, brutal and noisy Windows worm. In this writeup i discussed only a small\r\npart of Conficker whole story, there is a comprehensive article about it as well.\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Conficker/Conficker.md\r\nPage 9 of 10\n\nHope you enjoyed :)\r\nSource: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Conficker/Conficker.md\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/Conficker/Conficker.md\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Conficker/Conficker.md"
	],
	"report_names": [
		"Conficker.md"
	],
	"threat_actors": [],
	"ts_created_at": 1775434637,
	"ts_updated_at": 1775791254,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d3c982ab8fefbfb4a303045738b66de630f41f88.pdf",
		"text": "https://archive.orkl.eu/d3c982ab8fefbfb4a303045738b66de630f41f88.txt",
		"img": "https://archive.orkl.eu/d3c982ab8fefbfb4a303045738b66de630f41f88.jpg"
	}
}