W32/Conficker.worm exploits the MS08-067 vulnerability in order to spread. It may also download and execute various files onto the affected system.

When executed, the worm copies itself using a random 7-digit name to the %sysdir% folder.

It modifies the following registry key to create a service called 'NETSVCS' on the affected system:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\"ServiceDll" = "Path to worm"
ImagePath: %SystemRoot%\system32\svchost.exe -k netsvcs

It attempts connections to the following websites to obtain the public ip address of the affected computer:

  • hxxp://www.getmyip.org
  • hxxp://getmyip.co.uk
  • hxxp://checkip.dyndns.org

    More information can be found at this McAfee page.