Virus Alert : Conficker Worm - Detection and Protection, Share Information.....
Hi,
Businesses worldwide are under attack from a highly infectious computer worm that has infected almost 9 million PCs, according to antivirus company F-Secure.
That number has more than tripled over the last four days alone, says F-Secure, leaping from 2.4 million to 8.9 million infected PCs. Once a machine is infected, the worm can download and install additional malware from attacker-controlled Web sites, according to the company.
Since that could mean anything from a password stealer to remote control software, a Conflicker-infected PC is essentially under the complete control of the attackers
More Details - http://ntoolz.net/securityzone/2009/01/latest-news/virus-alert-conficker-worm-detection-and-protection/
Please share your experience on detection and protection for this virus.
Regards,
Tarun Gupta
(http://www.linkedin.com/in/tgupta1980)
Answers (2)
Ivor R
Cyber-Crime and Digital Forensics Specialist at a LEA Cyber Crime Unit/Task Force
Best Answers in: Information Security (3)
In summary: Conficker or W32.Downadup (as it also known) is a relatively new aggressive, sophisticated network worm that spreads by exploiting vulnerabilities in the MS operating system platforms (Win2k, XP and Win 2003). Containment and eradication of this threat require several immediate steps beyond simply updating virus definitions.
The worm uses three main infection vectors namely:
1. Via local network access over ports 139 and 445
2. Via external network access on above ports
3. Via websites that contain the malicious code.
4. Via infected USB media
The worm uses IDS evasion techniques and has some very interesting IP address locator techniques to determine the local external (public IP address) and connects to the following legitimate web sites to determine the local infected client’s external IP address:
http://checkup.dyndns.org
http://getmyip.co.uk
www.getmyip.org
It also can issue UPnP commands to SOHO devices that support UPnP.
The worm has a unique algorithm that allows it to generate a different external URL every day; that infected client will connect to download additional malware elements.
New variants of this worm also include password brute-forcing ability to brute force Share passwords.
3. Key steps to help contain and eradicate this worm include:
1. Block access to TCP ports 139 and 445 at your network perimeters and between internal network segments to prevent spread of the threat whilst containment is underway. Note that: this will block certain MS services related to ports 139 & 445
2. Deploy the MS security updates from MS08-067 or Bugtraq ID: (BID 31874) to all vulnerable systems as soon as possible. http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
3. Ensure that your antivirus definitions are up-to-date and run a full system scan
Once you are confident that the bulk of the infection has been contained; you should then enable ports 139 and 445 on internal network segments.
Detecting it:
1. Look for connections to strange looking URLs such as: enzgjqhhvj.org as an example
2. Look for strange looking files with seemingly random files names in Windows\System32 such as sdetxchdn.dll or dfgetrh.aen as examples.
NB: manual deletion of such files will not disinfect the affected computers.
Hope this helps somewhat in explianing how to contain this and in brief key features of this worm.
Best of Luck.
Regards,
Tarun has just posted instructions on removal of Win32/Conficker.AA, also known as W32/Worm.AHGV, Win32.Worm.Downadup, Net-Worm.Win32.Kido.bg, Worm:Win32/Conficker, W32/Conficker.worm.gen, and Mal/Conficker,
There is a link to software download (freeware) and also the manual instructions to clean the infected system.
Follow link for software download and Instructions
Link - http://ntoolz.net/securityzone/2009/01/software-and-online-security-tools/confickerdownadupnet-wormkido-removal-tool-download-and-instructions/
The instructions are quite helpful and easy to clean the system.
