Conficker

A worm targeting Microsoft Windows operations systems.

Enhanced ATT&CK Techniques

Name	Use
Persistence::Registry Run Keys / Startup Folder (F0012)	To start itself at system boot, the virus saves a copy of its DLL form to a random filename in the Windows system folder, then adds registry keys to have svchost.exe invoke that DLL as an invisible network service. [1]
Persistence::Modify Existing Service (F0011)	The malware copies itself into the $systemroot%\system32 directory and registers as a service. [1]
Defense Evasion::Indicator Blocking (F0006)	The malware terminates various services related to system security and Windows and prevents network access to various websites related to antivirus software. [1]
Impact::Data Destruction (E1485)	The malware resets system restore points and deletes backup files. [1]
Anti-Static Analysis::Software Packing::UPX (F0001.008)	Conficker is propagated as a DLL which has been backed using the UPX packer. [2]

Name	Use
Command and Control::Domain Name Generation (B0031)	Conficker uses a domain name generator seeded by the current date to ensure that every copy of the virus generates the same names on their respective days. [1]
Execution::Conditional Execution (B0025)	Conficker A variant has a routine that causes the process to suicide exit if the keyboard language layout is set to Ukranian. [1]
Memory::Overflow Buffer (C0010)	Variants A, B, C, and E exploit a vulnerability in the Server Service on Windows computers in which an already compromised computer sends a specially-crafted RPC request to force a buffer overflow and execute shellcode on the target computer. [1]
Execution::Conditional Execution::Suicide Exit (B0025.001)	Conficker B variant has significantly more suicide logic embedded in its code and employs anti-debugging features to avoid reverse engineering attempts. [2]

SHA256 Hashes