Tuesday, April 28, 2009

conficker.e analysis (.exe component) - part 0.8 - "3rd command" reversing

From the previous post it was show that the are always three valid command expected by the worm for its business. The more meaning command during the dissecting is the "3rd command".

When the worm receive the correct command syntax, it send a dump of the registry value "ds" referenced by the registry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Applets

The following screenshot shown the behaviour.

Some note: in this case the "3rd command" expected is:

get /mkmxzbr http/


The first screenshot show the Wireshark dump:


The red is the request sent from a putty (raw mode) client, while the blue zone is the response.

This second one show the code zone where the "3rd command" is handled:


And the the last screen shot show the registry value that match with the dump posted above:

No comments:

Post a Comment