Peaches Posted March 30, 2009 Report Share Posted March 30, 2009 Problems removing conficker relate to dat files being unable to cope with the way conficker morphs (signature-based AV is on the way out for this very reason - the need to retain immense libraries of signatures against every variant of every threat known), the account used to run cleanup/removal tools having escalated privileges (and thus enabling the worm to propagate further through the network), removal needing to be run in safe mode to properly disinfect the machine and general laziness regarding patching of systems - the patch that prevent conficker infection in the first place is four months old!It disables the following services: Windows Automatic Update, Windows Security Center, Windows Defender, and Windows Error Reporting. However, that is part one, part two is that it connects to a server to download even more stuff to infect your computer with and so how is this done you may ask?It " exploits a bug in the Windows Server service used by Windows 2000, XP, Vista, Server 2003 and Server 2008" and even though Microsft did make an update for this little bug it would seem that not many people updated there computers to fix it. On top of that though Conficker uses random file extensions to make its attack and so the security team that is watching this worm says too do a full scan of everything and not a quick scan in order to find this worm if your computer is infected. As for the security updates Microsoft mentions that users need to install Security Update MS08-067 http://www.microsoft.com/technet/security/...n/MS08-067.mspxMicrosoft has recommended that Windows users install the update, then run the January edition or later of the MSRT to scrub the worm from compromised computers if they are infectedPreventionTake the following steps to help prevent infection on your system:Enable a firewall on your computer. Get the latest computer updates for all your installed software, including Security Bulletin MS08-067. Use up-to-date antivirus software. Use caution when opening attachments and accepting file transfers. Use caution when clicking on links to web pages. Protect yourself against social engineering attacks. Enable a firewall on your computer Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall. To turn on the Windows Firewall in Windows VistaClick Start, and click Control Panel. Click Security. Click Turn Windows Firewall on or off. Select On. Click OK. To turn on the Internet Connection Firewall in Windows XPClick Start, and click Control Panel. Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View. Click Change Windows Firewall Settings. Select On. Click OK. Get the latest computer updates Updates help protect your computer from viruses, worms, and other threats as they are discovered. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor websites.You can use the Automatic Updates feature in Windows to automatically download future Microsoft security updates while your computer is on and connected to the Internet. To turn on Automatic Updates in Windows VistaClick Start, and click Control Panel. Click System and Maintainance. Click Windows Updates. Select a setting. Microsoft recommends selecting Install updates automatically and choose a time that is convenient for you. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates. To turn on Automatic Updates in Windows XPClick Start, and click Control Panel. Click System. Click Automatic Updates. Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates. Use Strong Administrator PasswordsMicrosoft also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords. More information is available here.Use up-to-date antivirus software Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/protect/com...ses/vista.mspx.Use caution when opening attachments and accepting file transfersExercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.Use caution when clicking on links to web pagesExercise caution with links to web pages that you receive from unknown sources, especially if the links are to a web page that you are not familiar with or are suspicious of. Malicious software may be installed in your system simply by visiting a web page with harmful content.Avoid downloading pirated softwareThreats may also be bundled with software and files that are available for download on various torrent sites. Downloading "cracked" or "pirated" software from these sites carries not only the risk of being infected with malware, but is also illegal. For more information. please see our article 'The risks of obtaining and using pirated software'.Protect yourself from social engineering attacksWhile attackers may attempt to exploit vulnerabilities in hardware or software in order to compromise a system, they also attempt to exploit vulnerabilities in human behavior in order to do the same. When an attacker attempts to take advantage of human behavior in order to persuade the affected user to perform an action of the attacker's choice, it is known as 'social engineering'. Essentially, social engineering is an attack against the human interface of the targeted system. For more information, please see our article 'What is social engineering?'.http://www.microsoft.com/security/portal/E...Win32/ConfickerSystem Changes if you are infectedThe following system changes may indicate the presence of this malware:The following services are disabled or fail to run:Windows Security Center ServiceWindows Update Auto Update ServiceBackground Intelligence Transfer ServiceWindows DefenderError Reporting ServiceWindows Error Reporting ServiceSome accounts may be locked out due to the following registry modification, which may flood the network with connections:HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"TcpNumConnections" = "0x00FFFFFE"Users may not be able to connect to websites or online services that contain the following strings:virusspywaremalwarerootkitdefendermicrosoftsymantecnortonmcafeetrendmicrosophospandaetrustnetworkassociatescomputerassociatesf-securekasperskyjottif-protnod32esetgrisoftdrwebcentralcommandahnlabesafeavastaviraquickhealcomodoclamavewidofortinetgdatahacksofthauriikarusk7computingnormanpctoolsprevxrisingsecurecomputingsunbeltemsisoftarcabitcpsecurespamhauscastlecopsthreatexpertwilderssecuritywindowsupdatehttp://circlesoffriends.us//index.php?show...amp;#entry12337 Quote Link to post Share on other sites
Peaches Posted March 30, 2009 Author Report Share Posted March 30, 2009 Search for 'Conficker' Could Lure VirusSymantec is warning Web users that searching for information on computer viruses such as Conficker could put them at risk of unintentionally downloading the virus on to their PC.Conficker targets a flaw in Windows Server and despite Microsoft releasing an emergency patch and urging all Web users to download it, many machines remain unprotected.According to the security vendor, searching for 'conficker' in a number of the Web's most popular search engines brings up a number of hoax Websites that actually host the virus and infect any users that navigate to the site.Symantec warns Web users the best course of action is to use software that will block Web pages such as these from being visited."Be careful with the links you follow. A sincere effort of keeping abreast with the latest security information might contain some unwelcome surprises," the security firm added.A third version of the virus was also discovered this month and security researchers believe it may cause problems on April Fools Day."It's set to go off April 1, 2009 and Conficker will generate 50,000 URLS daily," said Computer Associates director of threat research, Don DeBolt.PC World - http://www.pcworld.com/article/162149/sear...lure_virus.html Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.