Monday, March 30, 2009

Conficker worm on it's way



I was reading a story this morning from Yahoo about the Conficker worm that comes out every year on April 1st. The first Conficker worm was sent out in 2008 and infected over 9 million computers. Now it's on its third version, Conficker C, and is "incredibly complicated, powerful, and virulent".

Microsoft has offered a quarter million dollar bounty on the writer of the worm and are trying to find a solution before April 1st gets here. They say:

"What's known so far is that on April 1, all infected computers will come under the control of a master machine located somewhere across the web, at which point anything's possible. Will the zombie machines become denial of service attack pawns, steal personal information, wipe hard drives, or simply manifest more traditional malware pop-ups and extortion-like come-ons designed to sell you phony security software? No one knows.

Conficker is clever in the way it hides its tracks because it uses an enormous number of URLs to communicate with HQ. The first version of Conficker used just 250 addresses each day -- which security researchers and ICANN simply bought and/or disabled -- but Conficker C will up the ante to 50,000 addresses a day when it goes active, a number which simply can't be tracked and disabled by hand.

At this point, you should be extra vigilant about protecting your PC: Patch Windows completely through Windows Update and update your anti-malware software as well. Make sure your antivirus software is actually running too, as Conficker may have disabled it.

Microsoft also offers a free online safety scan here, which should be able to detect all Conficker versions."

And from the Windows Live OneCare website:

How do I know if my computer is infected?

System Changes
The following system changes may indicate the presence of this malware:

  • The following services are disabled or fail to run:
  • Windows Update Service
    Background Intelligent Transfer Service
    Windows Defender
    Windows Error Reporting Services
  • Some accounts may be locked out due to the following registry modification, which may flood the network with connections:
  • HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    "TcpNumConnections" = "0x00FFFFFE"
  • Users may not be able to connect to websites or online services that contain the following strings:
  • virus
    spyware
    malware
    rootkit
    defender
    microsoft
    symantec
    norton
    mcafee
    trendmicro
    sophos
    panda
    etrust
    networkassociates
    computerassociates
    f-secure
    kaspersky
    jotti
    f-prot
    nod32
    eset
    grisoft
    drweb
    centralcommand
    ahnlab
    esafe
    avast
    avira
    quickheal
    comodo
    clamav
    ewido
    fortinet
    gdata
    hacksoft
    hauri
    ikarus
    k7computing
    norman
    pctools
    prevx
    rising
    securecomputing
    sunbelt
    emsisoft
    arcabit
    cpsecure
    spamhaus
    castlecops
    threatexpert
    wilderssecurity
    windowsupdate

So I thought, well, I'm safe, I have McAfee...I have Spyzooka...I automatically update and have my firewall and Windows Defender set up to run automatically...I'm good right?

Then I looked in my system tray and NOTHING WAS THERE! Windows Defender had been turned off; McAfee off; Spyzooka off. Ack! I immediately stopped what I was doing and ran every kind of scan I have. I found several viruses.

I'm glad I came across the story and checked into my own PC. I hope y'all check yours too. This could be bad, bad, bad.


1 COMMENTS:

Sometimes Sophia said...

Ouch. This sounds pretty painful. I have a feeling that I'm pretty vulnerable. Thanks for the info. I'll put it to good use.

Post a Comment

If you can't fix it with duct tape, you haven't used enough.

You should really comment if you're here. It would make me very happy. I thrive on attention. You should know this by now. You should automatically click on the comment button and say SOMETHING! FEED MY NEED!! TALK TO ME!!!! Please. :)