i downloaded the sample conficker 'atsjshck.rar' [http://www.woodmann.com/forum/showthread.php?t=12297]. and follow step by step with this posting [http://earlmarcus.blogspot.com/2009/01/unpacking-confickerdownadup.html]. Unfortunately i cannot reach landed until 0x10002EB0. starting from this address, malware will unpack itself in memory. I tried to set the breakpoint at VirtualAlloc and VirtualProtect, still cannot trace until the offset of these functions. Please share with me if you can do it or something iam wrong.
Problems solve.
Procedure unpack:
1. load dll file using ollydbg
2. Press F2 set breakpoint at 1001A00D
3. Press F9 + Press F7
4. Press F2 set breakpoint at 10002EB0
5. Press F9+Press F7
6. Press F2 set breakpoint at 003CF8AD
7. Press F9+Press F7
8. now u can right click and save the content of conficker worm from memory
test it using vmware to avoid your system infected.