Conficker worm alert!?!

[Eccho]

My mate recently sent me a message whereas he said that the conflicker worm/virus is going to be released on the April Fool's Day possibly to damage millions of people. Since it was mentioned that it is the 1st of April, my first impression if it is that it is a joke but while the intuition of me not being active on my computer that day is increasing. The message below is what my friend sent me, written by the chef of F-secure.

Computer worm Conficker infects nearly 20 million Microsoft server systems running everything from Windows 2000 to Windows Vista and Windows Server 2008. French air force, Royal Navy warships and submarines, Sheffield Hospital network, UK Ministry of Defence, German Bundeswehr and Norwegian Police all affected. Microsoft has allocated $500,000 to identify its creator. The worm is set to activate on April 1st, 2009, with unknown consequences. Mikko Hypponen, chief research officer at anti-virus firm F-Secure says the true scope of the virus is not known, but in the past 24 hours his company monitored Conficker signals from two million Internet protocol addresses.

And it was on the CNN as well, it is everywhere in fact, I just had no idea.
Source: No joke in April Fool's Day computer worm - CNN.com

Long article

No joke in April Fool's Day computer worm

* Story Highlights
* The Conficker C computer worm is expected to activate on April Fool's Day
* The worm lets a master computer take over infected zombie PCs
* It's unclear what the program's author plans to do with all the power
* A group called the Conficker Cabal is trying to hunt down solutions
* Next Article in Technology »

By John D. Sutter
CNN

(CNN) -- A computer-science detective story is playing out on the Internet as security experts try to hunt down a worm called Conficker C and prevent it from damaging millions of computers on April Fool's Day.

This piece of computer code tells the worm to activate on April 1, 2009, researchers at CA found.

The anti-worm researchers have banded together in a group they call the Conficker Cabal. Members are searching for the malicious software program's author and for ways to do damage control if he or she can't be stopped.

They're motivated in part by a $250,000 bounty from Microsoft and also by what seems to be a sort of Dick Tracy ethic.

"We love catching bad guys," said Alvin Estevez, CEO of Enigma Software Group, which is one of many companies trying to crack Conficker. "We're like former hackers who like to catch other hackers. To us, we get almost a feather in our cap to be able to knock out that worm. We slap each other five when we're killing those infections."

The malicious program already is thought to have infected between 5 million and 10 million computers.

Those infections haven't spawned many symptoms, but on April 1 a master computer is scheduled to gain control of these zombie machines, said Don DeBolt, director of threat research for CA, a New York-based IT and software company.

What happens on April Fool's Day is anyone's guess.

The program could delete all of the files on a person's computer, use zombie PCs -- those controlled by a master -- to overwhelm and shut down Web sites or monitor a person's keyboard strokes to collect private information like passwords or bank account information, experts said.

More likely, though, said DeBolt, the virus may try to get computer users to buy fake software or spend money on other phony products.

Experts said computer hackers largely have moved away from showboating and causing random trouble. They now usually try to make money off their viral programs.

DeBolt said Conficker C imbeds itself deep in the computer where it is difficult to track. The program, for instance, stops Windows from conducting automatic updates that could prevent the malware from causing damage.

The program's code is also written to evolve over time and its author appears to be making updates to thwart some of the Conficker Cabal's attempts to neuter the worm.

[...] (read from source)

I don't know what I think, but I will probably have my pc off during that day? What do you say?

 

[Gilles]

I'll have mine on.

 

[Gausslander]

Nah, by then I will have forgotten to turn it off. But, for the sake of argument:

"Let's make like a tree and get the **** out of here!"

 

[Samuraid]

I shall have my computer on, fully updated from Microsoft and running the latest updates from Symantec. And other than that, I'll carry on with my life as usual. If things get really serious, I can boot into Linux and carry on as normal.

 

[Hawkwing]

I can hope that it's April Fools or otherwise go suicide due to lack of computer-use.

 

[Eccho]

Yeah I hope that too. And after all, the Conficker have been stopped before (2003 I think).

I just wanted to see how you would handle the situation or not bother it at all. After all, I would have done the same if I didn't know about it.

Think about it tho, if you have information on your computer which should be kept in secret I would rather do a backup of it and store it somewhere else since they said that the effect of the worms behaviour is still unknown, but will try to steal private information to buy stuff with your credit card (not because I will suffer about it, but others will perhaps?)

 

[LuCkyM3]

you may use ESET NOD32 or SMART SECURITY to destroy conficker... works on me

 

[Pyritie]

These news articles always crack me up. They're as bad as chain mail.

 

[Squiggy]

I shall have my computer on, fully updated from Microsoft and running the latest updates from Symantec. And other than that, I'll carry on with my life as usual. If things get really serious, I can boot into Linux and carry on as normal.

Seconded besides that symantec falis :>

 

[Eccho]

Lol... Microsoft is giving a reward of around 185.000 £ for the one who finds the creator of it. Hence, I never heard of the previous attacks of the Conficker B back in 2008, so meh, nothing has happend. "Those who are having a fully updated virus program will remain safe. It's those who does not have one which should be more concerned."

 

[Samuraid]

Seconded besides that symantec falis :>

Actually, it wins.

Further reading:
Passmark Antivirus 2009 Testing
AV-Comparatives - Independent Tests of Anti-Virus Software - Main-Tests

 

[Just_Spectating]

Ill be safe on my mac.

 

[Gilles]

Until you get the spinning rainbow wheel of gay. : )

 

[TheBlooddancer]

Nice, i want that wheel, where can i download?

on get.virus.com you say?
Nice.

Oh, and ill be here all day long, so if i suddenly start screaming about blood, murder and charlie the unicorn, its properly the virus.

Or my split personality Bob.

 

[LordDz]

This site is already infected

 

[Hawkwing]

Ohai. No infection. :B

 

[Just_Spectating]

The page 2 on this thread leads to page one rofl.
No worms yet.


(All hail the worms)

 

[Kwah]

Worms is a fun game.

Thread fail, btw.

 

[Exanthos]

mmm, Fried worms. lol

 

[Eccho]

._. Yeah, I noticed. I shouldnt have been such concerned. After all I wasnt when the Conficker ruined for some, last year.

 

[En_Fuego]

The article kind of fails, considering they're not "releasing the virus" into the public. They're simply doing a global update through popular web domains to computers that are already infected with it/websites that are already infected with it.

Basically, it's not a big deal unless you plan on going to some malicious webcontent. Even then, you can just have a friend e-mail (if you didn't download it before-hand) the Windows Service Pack that remedies the problem.

 

[Exanthos]

You can still get infected.
That's no doubt, but if you have a router theres like a 30% chance you're safe
because it blocks traffic on all closed ports and Conficker uses port 445 for its data.

If you have a router and a AV and firewall you're set. Pretty much immune.

BUT! If you're infected, just do a scan with a AV and it'll delete it, McAffee already recognized it.

I found it funny though how everyone made it such a big deal when McAffee itself said everyone made it a bigger deal then it should have been lol..

 

[Mage_Goo]

uhh, just question, how can we know if a PC is already infected with 'this' virus?
my PC is always open windows media player whenever i press 'A' button in keyboard. is this mean I've infected?

P.S:I write this post with on-screen keyboard

 

[Just_Spectating]

try to go to an anti virus site and see if it is blocked or not.

 

[Mage_Goo]

Hmm, so Conficker C block anti virus site? I can open it, so i didn't infected with Conficker C, Am i right?

 

[Just_Spectating]

is your numlock like locked?

 

[Mage_Goo]

no. If you mean locked is can't switch, it's no.

 

[Kwah]

How about scroll lock.

It's a common sign of these things, due to the way that the virus thread interacts with the API.

 

[Exanthos]

Pages 3 & 4 lead to 2 :O

Ok, You'll know if you're infected if you cant get to
Symantec.com
McAfee.com
ZoneAlarm.com

Stop asking these questions...

 

[Eccho]

Or any of these could be a sign of having the virus/worm

(originally by Panda Security)

Long list

Effects

Conficker.C is designed to spread by exploiting a vulnerability in the Windows Server Service which allows remote code execution. It is the vulnerability MS08-067.

Additionally, Conficker.C carries out the following actions:

* It checks the system date in the following web addresses:
Ask.com
Google.com
Baidu.com
Yahoo.com
W3.org
and if the system date is after January 1, 2009, it will attempt to connect to a website in order to download a malicious executable file. The website to which it connects varies depending on the system date.
* It disables the following services:
- Windows update, disabling the Windows updates.
- BITS (Background Intelligent Transfer Service), which is a service to transfer Windows files.
- Error reporting service, which allows to send Microsoft information about errors occurring in the operating system, Windows components and programs.
* It prevents the user and the computer from connecting to the websites that contain any of the following text strings:
ahnlab
arcabit
avast
avg
avira
avp
bit9
ca
castlecops
centralcommand
cert
clamav
comodo
computerassociates
cpsecure
defender
drweb
emsisoft
esafe
eset
etrust
ewido
fortinet
f-prot
f-secure
gdata
grisoft
hacksoft
hauri
ikarus
jotti
k7computing
kaspersky
malware
mcafee
microsoft
nai
networkassociates
nod32
norman
norton
panda
pctools
prevx
quickheal
rising
rootkit
sans
securecomputing
sophos
spamhaus
spyware
sunbelt
symantec
threatexpert
trendmicro
vet
virus
wilderssecurity
windowsupdate
As they are security related websites, the antivirus programs could not be updated and the user could not access the information of these pages.
* It modifies the security policies of the user accounts. In order to access the user accounts, it uses the following weak passwords:
0123456789
00000, 0000000, 00000000, 0987654321, 11111, 111111, 1111111, 11111111, 123123, 12321, 123321, 12345, 123456, 1234567, 12345678, 123456789, 1234567890, 1234abcd, 1234qwer, 123abc, 123asd, 123qwe, 1q2w3e, 22222, 222222, 2222222, 22222222, 33333, 333333, 3333333, 33333333, 44444, 444444, 4444444, 44444444, 54321, 55555, 555555, 5555555, 55555555, 654321, 66666, 666666, 6666666, 66666666, 7654321, 77777, 777777, 7777777, 77777777, 87654321, 88888, 888888, 8888888, 88888888, 987654321, 99999, 999999, 9999999, 99999999.
A
a1b2c3, aaaaa, abc123, academia, access, account, Admin, admin, admin1, admin12, admin123, adminadmin, administrator, anything, asddsa, asdfgh, asdsa, asdzxc.

B
backup, boss123, business.

C
campus, changeme, cluster, codename, codeword, coffee, computer, controller, cookie, customer.

D
database, default, desktop, domain.

E
example, exchange, explorer.

F
files, foobar, foofoo, forever, freedom.

G
games.

H
home123.

I
ihavenopass, Internet, internet, intranet.

K
killer.

L
letitbe, letmein, Login, login, lotus, love123.

M
manager, market, money, monitor, mypass, mypassword, mypc123.

N
nimda, nobody, nopass, nopassword, nothing.

O
office, oracle, owner.

P
pass1, pass12, pass123, passwd, Password, password, password1, password12, password123, private, public, pw123.

Q
q1w2e3, qazwsx, qazwsxedc, qqqqq, qwe123, qweasd, qweasdzxc, qweewq, qwerty, qwewq.

R
root123, rootroot.

S
sample, secret, secure, security, server, shadow, share, student, super, superuser, supervisor, system.

T
temp123, temporary, temptemp, test123, testtest.

U
unknown.

W
windows, work123.

X
xxxxx.

Z
zxccxz, zxcvb, zxcvbn, zxcxz, zzzzz.

Infection strategy

Conficker.C creates a random DLL in the Windows system directory. This file is created with system, read-only and hidden attributes.

It also creates a file with random name and VMX extension in the folder RECYCLER\%random name% of all the shared and removable drives of the computer. It is copied with system, read-only and hidden attributes. Additionally, it creates an AUTORUN.INF file in these drives. This way, it is run whenever any of them is accessed.

On the other hand, it creates a scheduled task in the folder Tasks of the Windows directory in order to start its execution periodically.



Conficker.C creates the following entries in the Windows Registry:

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
%random name% = rundll32.exe %letra unidad%\RECYCLER\%random name%\%random filename.vmx
By creating this entry, Conficker.C ensures that it is run whenever Windows is started.
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TcpNumConnections = 0x00FFFFFE
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\netsvcs
Image Path = %sysdir%\svchost.exe -k netsvcs
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\netsvcs\Parameters
ServiceDll = %name of the drive%\RECYCLER\%random name%\%random filename%.vmx
By creating these two entries, it is registered as a service.



Conficker.C modifies the following entries from the Windows Registry in order to make its detection more difficult:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue = 1
It changes this entry to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue = 0
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden = 1
It changes this entry to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden = 0
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden = 1
It changes this entry to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden = 0
It hides the files and folders with hidden attribute.

Means of transmission

Conficker.C spreads by exploiting the vulnerability called MS08-067, which is a vulnerability in the Windows server service. In order to do so, it sends malformed RPC requests to other computers. If any of them is vulnerable, it will download a copy of the worm to the system.

Additionally, Conficker.C also spreads through the system drives, both shared and removable, making copies of itself in them. It also creates an AUTORUN.INF file in order to be run whenever any of them is accessed.
Further Details

Conficker.C is 167,765 bytes in size.

 

[bounty hunter2]

<3 panda security.

 

[Samuraid]

uhh, just question, how can we know if a PC is already infected with 'this' virus?
my PC is always open windows media player whenever i press 'A' button in keyboard. is this mean I've infected?

P.S:I write this post with on-screen keyboard

Try switching to another keyboard (if you have any others available) and see if that solves the problem.