Countdown to Conficker

Source: cnetnews

The Conficker worm is stirring on some infected computers in Asia where it's April 1, but so far the activity is very tame, security researchers say.

"We've seen activity in honeypot machines in Asia...They're generating the 50,000 list of (potential) domains to contact," said Paul Ferguson, an advanced threats researcher for Trend Micro.

The latest variant of the worm, Conficker.C, was set to activate on April 1, which for some of the infected machines will happen at local time and for others it will be GMT, depending on whether the machines are turned on and connected to the Internet, he said.

The process seems to be starting slowly, with infected machines starting to generate the list of domains and then picking one domain and trying to contact it and waiting before continuing on through 500 of those 50,000 domains, according to Ferguson.

The owners of the infected computers likely won't notice anything, unless they can't access the Web sites of security vendors and then they will know they are infected, he said. Trend Micro has figured out a way to unblock the computer from the sites that the worm has blocked using a Microsoft networking service, he said. More details are on the Trend Micro site.

"Nothing at this point; we're running updates every half hour or so," Dave Marcus, director of security research for McAfee Avert Labs, said when asked to report what he was seeing. "They're supposed to connect to one of a variety of Web sites and download a piece of code. What that code is supposed to do is up in the air."

more: http://news.cnet.com/8301-1009_3-10208722-83.html

and Windows Advanced System Care running on my PC all the time. It does a system scan every morning at 6 am. I use Opera and Firefox and have all the flash ad pop up blocking software as well.


IS THERE ANYTHING ELSE I NEED TO DO?

:scared: :scared: :scared:

inium



:hide:

:nuke:

See the posting from US CERT below

Conficker Worm Targets Microsoft Windows Systems

Original release date: March 29, 2009
Last revised: --
Source: US-CERT


Systems Affected

* Microsoft Windows


Overview

US-CERT is aware of public reports indicating a widespread
infection of the Conficker worm, which can infect a Microsoft
Windows system from a thumb drive, a network share, or directly
across a network if the host is not patched with MS08-067.


I. Description

The presence of a Conficker infection may be detected if a user is
unable to surf to the following websites:

*
http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_
ghp_link_conficker_worm
* http://www.mcafee.com

If a user is unable to reach either of these websites, a Conficker
infection may be indicated (the most current variant of Conficker
interferes with queries for these sites, preventing a user from
visiting them). If a Conficker infection is suspected, the
infected system should be removed from the network. Major
anti-virus vendors and Microsoft have released several free tools
that can verify the presence of a Conficker infection and remove
the worm. Instructions for manually removing a Conficker infection
from a system have been published by Microsoft in
http://support.microsoft.com/kb/962007.


II. Impact

A remote, unauthenticated attacker could execute arbitrary code on
a vulnerable system.


III. Solution

US-CERT encourages users to prevent a Conficker infection by
ensuring all systems have the MS08-067 patch (part of Security
Update KB958644, which was published by Miscrosoft in October
2008), disabling AutoRun functionality (see
http://www.us-cert.gov/cas/techalerts/TA09-020A.html), and
maintaining up-to-date anti-virus software.


IV. References

* Virus alert about the Win32/Conficker.B worm -
<http://support.microsoft.com/kb/962007>

* Microsoft Security Bulletin MS08-067 - Critical -
<http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx>

* Microsoft Windows Does Not Disable AutoRun Properly -
<http://www.us-cert.gov/cas/techalerts/TA09-020A.html>

* MS08-067: Vulnerability in Server service could allow remote code
execution -
<http://support.microsoft.com/kb/958644>

* The Conficker Worm -
<http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm>

* W32/Conficker.worm -
<http://us.mcafee.com/root/campaign.asp?cid=54857>

I got the virus last January. Just today I checked to see if I had ever had that patch installed on my computer because I get automatic updates. It WAS installed back in October when it came out, yet I STILL got the virus in January. I don't know what the heck is going on with that patch but it sure didn't do shit for me.

I don't recommend relying on that patch at all.

Have you patched for all three?

The only patch I'm hearing about is the one from October. If there's other patches, Microsoft sure hasn't told me anything about them. Does anyone know about subsequent patches and where to get them and how to check if you DID get them?

http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99

Contains an extensive overview on the three variants.

Here's a direct link to the removal tool:

http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDwndp.exe

They're just tools to scan your system and kill it if you have it. What is needed is patches from Microsoft that deal with ALL of the varients so you won't get the evil things to begin with. The worm is so prolific you can get infected at any time without a security patch. I already dealt with this nasty booger and cleaned up my computer, but that isn't going to ensure that I won't get it again some time in the future.

I don't know what to tell you. I have Microsoft Update turned off. As I've said in another thread, I've had one virus in my 14 years on the web and it came from a printer install disk. I do'nt run anti-virus software. Just a firewall and a collection of anti-spyware/malware/browser security programs. I surf with Firefox and I use the NoScript plugin. I never open email attachments. I turn off the preview pane on my email client. I don't save my passwords in password-saving software. If a pop-up or pop-under window gets by me, I close it via keyboard (ctr W).

I use Firefox, don't do file sharing, don't open emails if I don't know who it's from, and I use a firewall, virus protection, run several malware and spyware and adware programs, update daily, etc., etc., etc.... yet I got the booger. You can get this monster from ANYWHERE these days. I jsut have no idea why Microsoft put out a patch in October for the first varient and I haven't seen anything since (and the booger got uglier with the next varient... it was most ghastly in January and February which is when I got it despite having that October patch). If there IS such a patch for the subsequent varients, I haven't heard anything about it and can't find anything at Microsoft. Clearly, their October patch isn't working for the subsequent varients.

Thanks for trying to help though.

Make sure you have the Windows patch that came out last October (although I got the virus in January WITH that patch, so it didn't do squat for me)...
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

You can do a free scan from McAfee that will look for the virus and kill it...
http://www.mcafee.com/us/threat_center/conficker.html
(the links to do the scan and kill it if you have it are in the upper righthand corner)

Bunch of other suggestions and info here...
http://www.democraticunderground.com/discuss/duboard.php?az=view_all&address=389x5363351

http://countermeasures.trendmicro.eu/tag/conficker/ :hi:

So says the Symantec site.

If you can log onto the Symantec site, you're fine, too. It blocks access to the help sites.

of the update. So I think I'm OK. Keeping fingers crossed.

:hi:

We have many systems of various OS types here at the home. Two of them happen to be of the Windows variety. Yes they have updated virus defs, yes I am fairly confident they are secure, but you know what...for the next 24-48 hours, those two systems will not be able to communicate outside my home network. Furthermore, I have turned on a network analyzer (Wireshark in my case) just to collect stats in the off chance I missed something.

All this took about 10 min of my time. No worries here.

Peace,
MZr7