Registry Values for Conficker

In recent weeks the Conficker virus has spread to roughly 30% of Windows based networks throughout the world.

Different variants of the worm have different registry values for the Conficker virus.

What started out only affecting 5 TLD’s (top-level domains) has spread to the use of 110 TLDs.

The number of TLDs being used is a direct correlation to how many “hits” the worm can make in a single day.

Conficker registry values

Variant Effects on Top-Level Domains

Beginning on 21st November, 2008, Conficker started attacking using a pull technique from trafficconverter.biz as well as downloads from 250 pseudorandom domains using only 5 TLDs.

Currently, there are 4 variants of Conficker and variant D uses anywhere from 500 to 50,000 pseudorandom domains over 110 TLDs.

Variant A

First detected on 21st November, 2008, Conficker variant A started spreading the virus via downloads from 250 pseudorandom generated domains utilizing only 5 TLDs.

Variant A exposed vulnerability on Windows server computers and placed itself onto PC registries in an attempt to turn off malware protection software.

Variant B

On 29th December, 2008, variant B started using 8 TLDs which activated 250 pseudorandom domains and activated push and pull techniques from the downloads to block DNS look-ups and turn off the Automatic update feature on Windows platforms.

Variant B also set up Trojan horse programs on removable media as well as established a backdoor for previously infected computers.

Variant C

On 20th February, 2009, variant C added a named pipe feature to receive URLs from hosts and then downloaded from those hosts.

Variant D

On 4th March, 2009, variant D was introduced and bumped up the use of TLDs and pseudorandom domain generation to 110 and anywhere from 500 to 50,000, respectively.

Variant D also started killing malware protection software as well as transferring using TCP protocols.