Conficker worm remedy

**Mie1** · 10th April 2009, 05:02 PM

While not trying to out-geek the geek, I found this post interesting and it may be of value ......

In the run up to April 1st, McAfee is offering a special build of its stand-alone cleaning tool christened Stinger which will be updated on a daily basis to include any undetected Conficker variants from the wild.

Please ensure that your copy of Microsoft Windows is patched and security software is fully up to date to ensure that April 1st 2009, is a day like any other day!

W32/Conficker.worm attacks port 445, Microsoft Directory Service, exploitin g MS08 - 067 . MS08 - 067 is an exploit similar to MS06 - 040 , which we first saw a couple of years ago .

W32/Conficker .worm attack symptoms:
- Blocks access to security - related sites
- User lockouts
- Traffic on port 445 on non - Directory Service (DS) servers
- No access to admin shares
- Autorun.inf files in recycled directory

Link to programme: |MG| McAfee AVERT Stinger Conficker 10.0.1.551

**Geek** · 13th April 2009, 07:30 AM

Looks like it is finnaly awakening from its slumber. The Washington Post reportS::

Conficker Worm Awakens, Downloads Rogue Anti-virus Software

Security experts nervously watching computers infested with the prolific Conficker computer worm say they have begun seeing infected hosts downloading additional software, including a new rogue anti-virus product.

Since its debut late last year, the collection of hundreds of thousands - if not millions - of systems sick with Conficker has somewhat baffled security researchers, who are accustomed to seeing such massive networks being used for money-making criminal activities, such as relaying junk e-mail.

Today, however, that mystery evaporated, as anti-virus companies reported seeing Conficker systems being updated with SpywareProtect2009, a so-called "scareware" product that uses fake security alerts to frighten consumers into paying for bogus computer security software.

According to Kaspersky Labs, once the scareware is downloaded, the victim will see the usual warnings, "which naturally asks if you want to remove the threats it's 'detected'. Of course, this service comes at a price - $49.95." Kaspersky reports that the rogue anti-virus product is being downloaded from a Web server in Ukraine.

This development adds an interesting wrinkle. The first version of Conficker contained within its genetic makeup instructions telling infected systems to visit a site called TrafficConverter.biz. As I noted last month, this was a site where distributors of rogue anti-virus products would go for the latest programs and links to the latest download locations. Many affiliates were making six-figure paychecks each month distributing this worthless software by various means, all of them extremely sneaky if not downright illegal.

In its bi-annual security report released this week, Microsoft cited rogue anti-virus as one of the most prolific and fastest-growing threats facing Windows users today.

The rogue anti-virus software, however, was not the only piece of rubbish to be sent to Conficker infected systems this week. Researchers at Trend Micro reported the first stirrings of Conficker.C on Wednesday, when they noticed a new file show up in the temporary director of a number of test machines they'd infected with the worm. They later determined the file had been placed there via Conficker's built-in peer-to-peer (P2P) communications capability, which allows large groupings of infected systems to hand off software updates and instructions being pushed out by the worm authors.

Trend found that the update was a version of the Waledac family of spam Trojans. Due to similarities in the code and other telltale signs, researchers consider Waledac to be the reincarnation of the "Storm worm," a spam virus that also used a sophisticated P2P mechanism to spread and share updates.

The Conficker update also sets up a Web server on the infected system, re-enables the ability to spread itself through the Microsoft Windows vulnerability that caused the outbreak in the first place (this spreading capability was absent in the Conficker version prior to this update). It also instructs the Waledac component to remove itself if the date is on or after May 3, 2009.

Perhaps that is due to some ill-understood logic within Conficker, but not all of the systems infected with Conficker.C are receiving the latest updates, said Paul Ferguson, an advanced threat researcher at Trend.

"We've seen it happen very slow and staggered," he said. "We have several nodes that have it and several that don't."

Ferguson said there are still several components tucked away in this Conficker update that researchers are struggling to unlock. But he said it's evident the worm's authors are ready to start putting it to work.

"There are still some unknowns here, but things are becoming a lot more clear, and it certainly seems they're making a move here to finally monetize all this effort," Ferguson said.

**Geek** · 13th April 2009, 07:35 AM

Just wanted to remind you about Conficker detection and removal advice beyond that given already by Mie1. You can tell whether your system is infected with this worm by visiting the web site of the Conficker Working Group and viewing the results of the eye chart.

If you have Conficker on your system, you will not be able to use that computer to visit most security sites. There are a few exceptions. For instance, Conficker blocks infected systems from visiting F-Secure.com, but not fsecure.com, which is the same domain. They have a removal tool, available here that you should be able to grab.

**Mie1** · 14th April 2009, 04:55 AM

I agree with the Geek!

While I may have taken only one offering of a "fix" available, obviously most, if not all, reputable companies in the computer security industry will have their own version of a removal tool. It is up to the user to use the tool he or she prefers .... usually that of the maker of the anti-virus programme the user employs to secure his or her computer (s).

Thanks, Geek!

**Omer** · 14th April 2009, 04:37 PM

you could also type mrt in the start run dialogue box

microsoft recovery tool .. scans for the viruses

**Geek** · 26th April 2009, 10:27 AM

The threat is far from over - it appears the worm is increasing in activity....

Computer worm ‘Conficker’ is doing its dirty work

Pentagon and other agencies are preparing to defend against cyber attacks. Meanwhile, here are ways to protect your computer.

By Michael B. Farrell | Staff writer/ April 25, 2009 edition

San Francisco

Internet security experts say that the computer worm known as Conficker, which has the ability to silently penetrate vulnerabilities within the Microsoft operating system, is beginning to rear its ugly head.

They say that the software is installing new and malicious programs on some of the computers it has already invaded with the aim of using those PCs to send out criminal spam and scrounge around on unsecured computers for valuable personal data, Reuters reported Friday.Internet security experts say that the computer worm known as Conficker, which has the ability to silently penetrate vulnerabilities within the Microsoft operating system, is beginning to rear its ugly head.

They say that the software is installing new and malicious programs on some of the computers it has already invaded with the aim of using those PCs to send out criminal spam and scrounge around on unsecured computers for valuable personal data, Reuters reported Friday.

Conficker, also called Downadup and Kido, works like this: Once the worm wiggles into a PC, it then has the ability to install software and enable the computer to receive additional viruses from the program’s creators. It can also link an individual PC to other infected machines and create an army of computers under its control, called a botnet, which can be strung together for launching cyberattacks

Millions of PCs already invaded

Experts say that the Conficker worm has already dug into millions of PCs but only been activated in a small percent of them. It was feared that the makers of the software program would trigger a massive attack on April 1. While that didn’t happen, the US Computer Emergency Readiness Team (US-CERT) said earlier this month that it has detected a new variant of the worm that “updates earlier infections via its peer-to-peer network against unpatched systems.”

Microsoft released a security patch last year to improve its systems’ security in an effort to combat Conficker. The patch is still available at Microsoft.com, but an estimated 30 percent of Microsoft users have not updated their systems.

While many say that the Conficker Worm is one of the most sophisticated they have come across — and the most widespread since a worm called Slammer that spread in 2003 — there are some simple protections that PC users can take. In addition to the free updates available from Microsoft, computer users can purchase an array of antivirus programs from software makers such as Symantec or McAfee.

How to test your computer

An easy test for computer users to perform to see if Conficker might be on their PCs is to simply attempt to log into some of these software security company’s website. The worm has the ability to block access to many security company sites.

Cyber security is becoming an increasing concern in the US and around the world amid the growth in Internet activity as well as in the level of sophistication being seen in malicious programs such as Conficker.

According to The Wall Street Journal, a new Pentagon Cyber Command will oversee the defense of US computer networks and cyber-attack operations. The paper reported Friday that Defense Secretary Robert Gates will name Keith Alexander, director of the National Security Agency, to head the Cyber Command operation.

Secretary Gates said in a memo reviewed by the Journal that, “our increasing dependency on cyberspace, alongside a growing array of cyber threats and vulnerabilities, adds a new element of risk to our national security.”

White House recommendations

The Obama administration is expected to release its own set of recommendations for cybersecurity policy as early as next week.

While many cyber-watchers hoped that Melissa Hathaway, President Obama’s top cyber czar, would shed some light into what those specific policy recommendations might be, she offered little in terms of specifics in a speech earlier this week at a San Francisco computer security conference.

Instead she focused on what went into the administration’s recently-completed 60-day review of US cyberspace policy, which many critics say has been ineffectual because it has not been streamlined under one agency.

“It can be said that the federal government is not organized appropriately to address this growing problem because responsibilities for cyberspace are distributed across a wide array of federal departments and agencies,” she said. “We need an agreed way forward based on common understanding and acceptance of the problem.”

**Geek** · 26th April 2009, 10:30 AM

Sophos has a very good removal tool that I used on an infected machine a few days ago. I left an unpatched Windows XP machine on the Internet for a few days to see what would happen, and one of the first infections was Conficker. Sophos tool intercepted it and removed it very efficiently. There is also a verion that I used to scan my network at work, and it did the job. Takes a bit of setting up with Group Policies and AD but not rocket science...... Download the tool(s) here:

Conficker Removal Tool - Free Conficker detection and removal