Conficker Worm (High Security)

March 31, 2009
tags: , , , , , , , ,
by Jose


Hello this is Kane.  I have been getting multiple warnings from US-CERT about the Conflicer Work.  It is a self replicating worm that can get on you computer by going to a website or using a usb drive.  It will attempt to attack shares that are password protected and will also will start webservices on ports 1024 and 10000.  Microsoft is taking this serious and has so far offer a bounty of $250,000 to catch the people who have programed this worm.  So please update your antivirus, microsoft updates, and check your firewall.  This worm will become active April 1st.  So if you did not know about this you should take the time to do this.  I believe many companies have taken the steps of patching windows machines and making custom firewalls to contain the infection.  But this is also important to home users.  Already around 15 to 20 million computer.  Below is US-CERT message that have been sent out.

National Cyber Alert System

Technical Cyber Security Alert TA09-088A

Conficker Worm Targets Microsoft Windows Systems

Original release date: March 29, 2009
Last revised: March 30, 2009
Source: US-CERT

Systems Affected

  • Microsoft Windows

Overview

US-CERT is aware of public reports indicating a widespread
infection of the Conficker/Downadup worm, which can infect a
Microsoft Windows system from a thumb drive, a network share, or
directly across a corporate network, if the network servers are not
patched with the MS08-067 patch from Microsoft.

I. Description

Home users can apply a simple test for the presence of a
Conficker/Downadup infection on their home computers.  The presence
of a Conficker/Downadup infection may be detected if a user is
unable to surf to their security solution website or if they are
unable to connect to the websites, by downloading detection/removal
tools available free from those sites:

  • http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_ghp_link_conficker_worm
  • http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx
  • http://www.mcafee.com

If a user is unable to reach any of these websites, it may indicate
a Conficker/Downadup infection.  The most recent variant of
Conficker/Downadup interferes with queries for these sites,
preventing a user from visiting them.  If a Conficker/Downadup
infection is suspected, the system or computer should be removed
from the network or unplugged from the Internet – in the case for
home users.

II. Impact

A remote, unauthenticated attacker could execute arbitrary code on
a vulnerable system.

III. Solution

Instructions, support and more information on how to manually
remove a Conficker/Downadup infection from a system have been
published by major security vendors.  Please see below for a few of
those sites. Each of these vendors offers free tools that can
verify the presence of a Conficker/Downadup infection and remove
the worm:

Symantec:
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99

Microsoft:
http://support.microsoft.com/kb/962007

http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

Microsoft PC Safety hotline at 1-866-PCSAFETY, for assistance.

US-CERT encourages users to prevent a Conficker/Downadup infection by
ensuring all systems have the MS08-067 patch (see
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx),
disabling AutoRun functionality (see
http://www.us-cert.gov/cas/techalerts/TA09-020A.html), and
maintaining up-to-date anti-virus software.

IV. References

  • Microsoft Windows Does Not Disable AutoRun Properly -

<http://www.us-cert.gov/cas/techalerts/TA09-020A.html>

  • Virus alert about the Win32/Conficker.B worm -

<http://support.microsoft.com/kb/962007>

  • Microsoft Security Bulletin MS08-067 – Critical -

<http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx>

  • MS08-067: Vulnerability in Server service could allow remote code

execution -
<http://support.microsoft.com/kb/958644>

  • The Conficker Worm -

<http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm>

  • W32/Conficker.worm -

<http://us.mcafee.com/root/campaign.asp?cid=54857>

  • W32.Downadup Removal Tool -

<http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99>

____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA09-088A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with “TA09-088A Feedback VU#827267″ in
the subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2009 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________

Revision History

March 29, 2009: Initial release
March 30, 2009: Included additional details

————————————————————————————————————————————————————————————————————————————————


Video by: FeverIAm

Video by: SolderKnowsBest

Please leave comments it would be greatly a preciated.

from → Security

2 Responses leave one →
  1. April 4, 2009
    coffee maker permalink

    a potentially good thing that has resulted from the Conficker scare is an overall heightened awareness of PC security

  2. April 6, 2009
    Kane permalink

    Unfortunately these things are short lived. Many people think this was done so the security companies can make money. But I do hope that people will stay aware of how bad things can get. If something like this would ever happen.

Leave a Reply

Note: You can use basic XHTML in your comments. Your email address will never be published.

Subscribe to this comment feed via RSS