Conficker

A worm targeting Microsoft Windows operations systems.

Enhanced ATT&CK Techniques

Name	Use
Persistence::Registry Run Keys / Startup Folder (F0012)	To start itself at system boot, the virus saces a copy of its DLL form to a random filename in the Windows system folder, then adds registry keys to have svchost.exe invoke that DLL as an invisible network service [1]
Persistence::Modify Existing Service (F0011)	Copies itself into the $systemroot%\system32 directory and registers as a service [1]
Defense Evasion::Indicator Blocking (F0006)	Terminates various services related to system security and Windows and prevents network access to various websites related to antivirus software [1]
Impact::Data Destruction (E1485)	resets system restore points and deletes backup files [1]
Anti-Static Analysis::Software Packing::UPX (F0001.008)	Conficker is propagated as a DLL which has been backed using the UPX packer [2]

Name	Use
Command and Control::Domain Name Generation (B0031)	Uses a domain name generator seeded by the current date to ensure that every copy of the virus generates the same names on their respective days [1]
Execution::Conditional Execution (B0025)	Conficker A has routine that causes the process to suicide exit if the keyboard language layout is set to Ukranian [1]
Micro-Behavior::Memory::Overflow Buffer (C0010)	Variants A, B, C, and E exploit a vulnerability in the Server Service on Windows computers in which an already compromised computer sends a specially-crafted RPC request to force a buffer overflow and execute shellcode on the target computer [1]
Execution::Conditional Execution::Suicide Exit (B0025.001)	Conficker B has significantly more suicide logic embedded in its code and employs anti-debugging features to avoid reverse engineering attempts [2]

SHA256 Hashes