Zshare Net Download 642658493791dbbc | Added By Request ~UPD~
Legislation has also been a massive driver of change, she added. Several states, including Colorado, Maryland and Nevada, have a law on the books that would provide pay ranges in job postings, upon candidate request or after a first interview.
zshare net download 642658493791dbbc | added by request
W32/Conficker.C!worm is the third variant of the Conficker worm exploiting the Microsoft Windows Server Service Vulnerability. It disables several Windows NT services, terminates other security and monitoring programs, and avoids access to security related websites. On April 1, 2009, it will generate thousands of malicious domains to download more malware threats.This particular threat is downloaded by the other Conficker variants to a compromised machine. It performs one or more of the following actions:Creates randomly named mutexes to make sure that only one instance of itself is running. The mutex name has the following format:Global\\undefinedu-undefineduwhere: undefinedu is a value formed from calling the GetComputerNameA(), QueryPerformanceCounter(), and srand() functions.It may drop a copy of itself using a random filename with a .DLL extension in one or more of the following folders:
undefinedSystemundefined
undefinedProgram Filesundefined\Windows NT
undefinedProgram Filesundefined\Windows Media Player
undefinedProgram Filesundefined\Internet Explorer
undefinedProgram Filesundefined\Movie Maker
undefinedDocuments and Settingsundefined\\Application Data
undefinedTemporaryundefined
Note: The dropped copies have the same time stamp as KERNEL32.DLL.It injects its main code to explorer.exe, services.exe, and all processes using the following command-line parameter: svchost.exe -k NetworkService.
If found, it disables the following Windows NT services:Windows Security Center (wscsvc)
Windows Defender (WinDefend)
Automatic Updates (wuauserv)
Background Intelligent Transfer Service (BITS)
Error Reporting Service (ERSvc)
Windows Error Reporting Service (WerSvc)
Registry ModificationsIt then deletes the following registry value to disable the automatic startup of Windows Defender:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows DefenderThe malware also disables the Windows Security Center notification by deleting the following registry subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\FD6905CE-952F-41F1-9A6F-135D9C6622CCThe malware also deletes the registry key below to prevent from the system from booting in Safe Mode:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBootThe malware also adds itself to the Svchost group by appending its path to the following registry key value:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost netsvcsTo enable its automatic execution on every machine startup, it adds the following registry entry:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run [Random String] = "rundll32.exe [Malware Path], [Random String]"It then creates an NT system service that points to its binary path by creating the following registry entries:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\[Random Name] Description = "[Random Description]" DisplayName = [Random DisplayName] ImagePath = "undefinedSystemRootundefined\system32\svchost.exe -k netsvcs" Parameters\ServiceDll = "[Malware Path]"where:[Random Name] is formed by concatenating two randomly selected strings from the two lists below:String List 1:App
Audio
DM
ER
Event
help
Ias
Ir
Lanman
Net
Ntms
Ras
Remote
Sec
SR
Tapi
Trk
W32
win
Wmdm
Wmi
wsc
wuau
xml
String List2:access
agent
auto
logon
man
mgmt
mon
prov
serv
Server
Service
Srv
srv
svc
Svc
System
Time
[Random DisplayName] is formed by randomly selecting two strings from the following string list:AuditBackup
Boot
Browser
Center
Component
Config
Control
Discovery
Driver
Framework
Hardware
Helper
Image
Installer
Logon
Machine
Management
Manager
Microsoft
Monitor
Network
Notify
Policy
Power
Security
Shell
Storage
Support
System
Task
Time
Trusted
Universal
Update
Windows
[Malware Path] - path of the dropped copy of the malwareTermination of ProcessesIt creates another thread to terminate processes that are mostly related to security and monitoring tools such as the following:
autoruns
avenger
confick
downad
filemon
gmer
hotfix
kb890
kb958
kido
klwk
mbsa.
mrt.
mrtstub
ms08-06
procexp
procmon
regmon
scct_
sysclean
tcpview
unlocker
wireshark
Prevention of Access to WebsitesIt hooks the following APIs to monitor internet access: From dnsapi.dll : DNS_Query_ADNS_Query_UTF8DNS_Query_WQuery_Main From ws2_32.dll :sendto From netapi32.dll :NetpwPathCanonicalize From wininet.dll :InternetGetConnectedStateIt also hooks the NtQueryInformationProcess API from ntdll.dll.
It prevents access to security-related websites, including websites that may contain information about Conficker. This is done by monitoring DNS requests when the infected machine attempts to access remote websites with the following substrings:
agnitum
ahnlab
anti-
antivir
arcabit
avast
avg.
avgate
avira
avp.
bit9.
bothunter
ca.
castlecops
ccollomb
centralcommand
cert.
clamav
comodo
computerassociates
conficker
cpsecure
cyber-ta
db networkassociates
defender
drweb
dslreports
emsisoft
esafe
eset
etrust
ewido
f-prot
f-secure
fortinet
free-av
freeav
gdata
gmer.
grisoft
hackerwatch
hacksoft
hauri
ikarus
jotti
k7computing
kaspersky
kav.
llnw.
llnwd.
malware
mcafee
microsoft
mirage
msdn.
msft.
msftncsi
msmvps
mtc.sri
nai.
nod32
norman
norton
onecare
panda
pctools
prevx
ptsecurity
quickheal
removal
rising
rootkit
safety.live
sans.
securecomputing
secureworks
sophos
spamhaus
spyware
sunbelt
symantec
technet
threat
threatexpert
trendmicro
trojan
vet.
virscan
virus
wilderssecurity
windowsupdate
It may also check connection to the following websites:2ch.net
ioctlsocket
recvfrom
Generation of Domain NamesIt visits the following websites to check the current date & time which will be used in its payload (domain generation):
It checks for the current system date using the GetLocalTime() API. If the system date is April 1, 2009 and beyond, it will generate up to 50,000 domain names that can be contacted to download additional components or malware. To generate the random domain names, the malware uses CryptGenRandom from Microsoft's Cryptography API (CAPI), QueryPerformanceCounter, and the current system date & time.It may use one of the following strings as the last part of the generated domain names: vn
vc
us
tw
to
tn
tl
tj
tc
su
sk
sh
sg
sc
ru
ro
ps
pl
pk
pe
no
nl
nf
my
mw
mu
ms
mn
me
md
ly
lv
lu
li
lc
la
kz
kn
is
ir
in
im
ie
hu
ht
hn
hk
gy
gs
gr
gd
fr
fm
es
ec
dm
dk
dj
cz
cx
co.za
co.vi
co.uk
co.ug
co.nz
co.kr
co.ke
co.il
co.id
co.cr
cn
cl
ch
cd
ca
bz
bo
be
at
as
am
ag
ae
ac