Re Conficker Worm


Recommended Posts

Problems removing conficker relate to dat files being unable to cope with the way conficker morphs (signature-based AV is on the way out for this very reason - the need to retain immense libraries of signatures against every variant of every threat known), the account used to run cleanup/removal tools having escalated privileges (and thus enabling the worm to propagate further through the network), removal needing to be run in safe mode to properly disinfect the machine and general laziness regarding patching of systems - the patch that prevent conficker infection in the first place is four months old!

It disables the following services: Windows Automatic Update, Windows Security Center, Windows Defender, and Windows Error Reporting. However, that is part one, part two is that it connects to a server to download even more stuff to infect your computer with and so how is this done you may ask?

It " exploits a bug in the Windows Server service used by Windows 2000, XP, Vista, Server 2003 and Server 2008" and even though Microsft did make an update for this little bug it would seem that not many people updated there computers to fix it. On top of that though Conficker uses random file extensions to make its attack and so the security team that is watching this worm says too do a full scan of everything and not a quick scan in order to find this worm if your computer is infected. As for the security updates Microsoft mentions that users need to install Security Update MS08-067 http://www.microsoft.com/technet/security/...n/MS08-067.mspx

Microsoft has recommended that Windows users install the update, then run the January edition or later of the MSRT to scrub the worm from compromised computers if they are infected

Prevention

Take the following steps to help prevent infection on your system:

Enable a firewall on your computer.

Get the latest computer updates for all your installed software, including Security Bulletin MS08-067.

Use up-to-date antivirus software.

Use caution when opening attachments and accepting file transfers.

Use caution when clicking on links to web pages.

Protect yourself against social engineering attacks.

Enable a firewall on your computer

Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall.

To turn on the Windows Firewall in Windows Vista

Click Start, and click Control Panel.

Click Security.

Click Turn Windows Firewall on or off.

Select On.

Click OK.

To turn on the Internet Connection Firewall in Windows XP

Click Start, and click Control Panel.

Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.

Click Change Windows Firewall Settings.

Select On.

Click OK.

Get the latest computer updates

Updates help protect your computer from viruses, worms, and other threats as they are discovered. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor websites.

You can use the Automatic Updates feature in Windows to automatically download future Microsoft security updates while your computer is on and connected to the Internet.

To turn on Automatic Updates in Windows Vista

Click Start, and click Control Panel.

Click System and Maintainance.

Click Windows Updates.

Select a setting. Microsoft recommends selecting Install updates automatically and choose a time that is convenient for you. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.

To turn on Automatic Updates in Windows XP

Click Start, and click Control Panel.

Click System.

Click Automatic Updates.

Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.

Use Strong Administrator Passwords

Microsoft also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords. More information is available here.

Use up-to-date antivirus software

Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/protect/com...ses/vista.mspx.

Use caution when opening attachments and accepting file transfers

Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.

Use caution when clicking on links to web pages

Exercise caution with links to web pages that you receive from unknown sources, especially if the links are to a web page that you are not familiar with or are suspicious of. Malicious software may be installed in your system simply by visiting a web page with harmful content.

Avoid downloading pirated software

Threats may also be bundled with software and files that are available for download on various torrent sites. Downloading "cracked" or "pirated" software from these sites carries not only the risk of being infected with malware, but is also illegal. For more information. please see our article 'The risks of obtaining and using pirated software'.

Protect yourself from social engineering attacks

While attackers may attempt to exploit vulnerabilities in hardware or software in order to compromise a system, they also attempt to exploit vulnerabilities in human behavior in order to do the same. When an attacker attempts to take advantage of human behavior in order to persuade the affected user to perform an action of the attacker's choice, it is known as 'social engineering'. Essentially, social engineering is an attack against the human interface of the targeted system. For more information, please see our article 'What is social engineering?'.

http://www.microsoft.com/security/portal/E...Win32/Conficker

System Changes if you are infected

The following system changes may indicate the presence of this malware:

The following services are disabled or fail to run:

Windows Security Center Service

Windows Update Auto Update Service

Background Intelligence Transfer Service

Windows Defender

Error Reporting Service

Windows Error Reporting Service

Some accounts may be locked out due to the following registry modification, which may flood the network with connections:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

"TcpNumConnections" = "0x00FFFFFE"

Users may not be able to connect to websites or online services that contain the following strings:

virus

spyware

malware

rootkit

defender

microsoft

symantec

norton

mcafee

trendmicro

sophos

panda

etrust

networkassociates

computerassociates

f-secure

kaspersky

jotti

f-prot

nod32

eset

grisoft

drweb

centralcommand

ahnlab

esafe

avast

avira

quickheal

comodo

clamav

ewido

fortinet

gdata

hacksoft

hauri

ikarus

k7computing

norman

pctools

prevx

rising

securecomputing

sunbelt

emsisoft

arcabit

cpsecure

spamhaus

castlecops

threatexpert

wilderssecurity

windowsupdate

http://circlesoffriends.us//index.php?show...amp;#entry12337

Link to post
Share on other sites

Search for 'Conficker' Could Lure Virus

Symantec is warning Web users that searching for information on computer viruses such as Conficker could put them at risk of unintentionally downloading the virus on to their PC.

Conficker targets a flaw in Windows Server and despite Microsoft releasing an emergency patch and urging all Web users to download it, many machines remain unprotected.

According to the security vendor, searching for 'conficker' in a number of the Web's most popular search engines brings up a number of hoax Websites that actually host the virus and infect any users that navigate to the site.

Symantec warns Web users the best course of action is to use software that will block Web pages such as these from being visited.

"Be careful with the links you follow. A sincere effort of keeping abreast with the latest security information might contain some unwelcome surprises," the security firm added.

A third version of the virus was also discovered this month and security researchers believe it may cause problems on April Fools Day.

"It's set to go off April 1, 2009 and Conficker will generate 50,000 URLS daily," said Computer Associates director of threat research, Don DeBolt.

PC World - http://www.pcworld.com/article/162149/sear...lure_virus.html

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...