Win32/Conficker.C is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.(was reported to Microsoft on February 20, 2009.)
Win32/Conficker.D is a variant of Win32/Conficker. Conficker.D infects the local computer, terminates services, blocks access to numerous security related Web sites and downloads arbitrary code. Conficker.D can relay command instructions to other Conficker.D infected computers via built-in peer-to-peer (P2P) communication. This variant does not spread to removable drives or shared folders across a network (as with previous variants). Conficker.D is installed by previous variants of Win32/Conficker. (was reported to Microsoft on March 4, 2009.)
As you can tell, this seems to be two different Variants starting to emerge. Now let’s go a little bit more deeper shall we. According to US-CERT(United States – Computer Emergency Readiness Team) , They claim that this is Widespread infection and have posted about it on there website TA09-088A.
My one questions is Why is the US getting ready for this Conlicker worm, are they worried that what happened to the Parliament will happen to some branch of the White House. This seems to be an even more hype building over this worm. Everyone will tell you the same thing, they are not sure what will happen on April 1, 2009. I think it will be a normal day and all because with all news about the Conficker worm, the person who wrote this won’t want the light shined on them before they get there foot hold in systems. So you will most likely not notice anything special on April Fools day due the awareness of the worm.
But don’t forget to update your Anti-virus software and also might be time to add a good free firewall to help protect yourself from this worm.
Q: I heard something really bad is going to happen on the Internet on April 1st! Will it? A: No, not really.
Q: Seriously, the Conficker worm is going to do something bad on April 1st, right? A: The Conficker aka Downadup worm is going to change it’s operation a bit, but that’s unlikely to cause anything visible on April 1st.
I am like everyone else, I really don’t know what will happen it is always going t to be media exposure when it comes to Worms, Viruses, or Trojans. Virus Writers whoever “THEY” are, will always want to update there infected systems to keep the virus(Also worms, and Trojans) on peoples systems. This is the way of security firms will always have to predict them, keep up with them, or just follow them. This will never change because as virus writers want to find even more ways to infect systems that is the necessity of Anti-virus Software.
I don’t know what will happen on April 1, you most likely will be fine if not you won’t know it until you try to update your system or update your anti-virus software. One way you can find out if your infected is by trying to serf to security vendors like F-secure, Norton, and Kasperky. If you Can’t get to those sites then you most likely have a Virus or Worm, and it could be this worm!!
Make the worm harder to detect — This is a common practice they want to be able to hide the worm for as long a possible. So they will always tweak it to make it that much hard to detect and remove.
Make the Worm easier to infect systems – This is another common practice, because without having systems there is no need for a Command and Control server. The worm could do things such as Denial of Service, Or send out spam, or steal sensitive information. This is the nature of why people make viruses, Trojans, or Worms.
Easily update the virus software — as with any software the virus writers will come up with easier ways of updating the software, because the security will do whatever they can to prevent the update. This is also the nature of why there will always be updating of the code. They will put in more ways to keep the virus, worm or Trojan from being blocked. Like the Conflicker has some Peer to Peer functionality, so if one company blocks the update another way it could get the update is Peer to Peer. So you can’t block it very easily.
So what will happen April 1? Who knows it could be a normal day, or it could be the biggest April Fools joke ever. That is why I put that in my last blog post. With so much Media Frenzy the security firms don’t know what the Worm will do when it updates, all they can do is wait. So let’s take a deep breath and relax, there’s nothing we can do just yet!!
Cluely’s blog talks about this and I thought I would talk about it a little myself!!
This is the newest version of the Conflicker/Downadup variant of the little worm. There seems to be people who are worried that April 1, there will be a major wake up in security no holds bar problems.
Some people have got rather confused as to what the April 1st deadline really means. The truth is that Conficker is not set to activate a specific payload on April 1st. Rather, on April 1st Conficker will begin to attempt to contact the 50,000-a-day potential call-home web servers from which it may receive updates.
Now let’s talk about this a little, this worm won’t do anything else but ask for updates on April 1, and we don’t know when the virus writers will implement the update it could be a month down the line. You could Backup your software and use the free program Autopatcher to help make sure your system is completely up to date with windows security. You can’t forward the to that date to find out what will it call home to. We don’t know what it will do when they update to the conficker.c program all we know it starts to try to call to certain domains on April 1, 2009. So you should install Anti-virus and Firewalls where you think it is needed.
I am sure though this will be an really big April Fools Joke from the Virus Programmers, they will be laughing at the hysteria of people trying to find out all the important information on April 1, and yet it might not start to happen until much later!! You are the first line of defense from getting a virus or any malware. So let’s keep our heads on straight and not go over board! Only time will tell, and I am sure what happens on Apr 1, 2009 will be a new day.
It looks like IE7 patches are being used right now in the wild. According to TrendMicro:
HTML_DLOADER.AS exploits the CVE-2009-0075 vulnerability, which is already addressed by the MS09-002 security patch released last week. On an unpatched system though, successful exploitation by HTML_DLOADER.AS downloads a backdoor detected as BKDR_AGENT.XZMS.
As you can see this this can be very bad for the companies who wait a while. Internet Explorer is still being used 1 out of 4 users and I see it it all the time on my stats. The Good news is this isn’t as hard to get rid as the Conflicker but should be taken serious because the writers might start to want to get even more malicious and make it even harder.
This is the next step to prevent yourself from getting caught with your pants down so to speak, you need to patch all systems that have internet access. I still like the Autopatcher because it will do the job with very little input from the user. It also makes it easier for people to patch big systems. You should also consider installing some Free Anti-virus software to help protect the systems you do have.
From the looks of this virus, someone could easily make this into a botnet and you know how that can could affect your systems and your ISP. So it is best to get this months patches on the floor of your company as soon as possible.
You should also consider telling your users to start using Firefox to prevent infection from even happening. Until you patch, you are vulnerable.
Today I’ve been doing research because I surprised how many people have searched for the Conflicker Worm/Virus and I wanted to point just how bad this is getting. I was looking on Twitter about this some more and here is what I found out:
Now I went there and he seemed to of added “)” to the URL so I took that out and here’s the URL to check this out. I went there and saw all these IP(Internet Protocols) and it claims that it is over a MILLION. I don’t know if it is true because I stopped the list of IP’s due to the size of list.
I also wanted to talk about the rate at which people are finding this site due to the conflicker virus/worm infecting their systems. As you can see it is steadily increasing as more and more people are trying to find out how to get rid of this very pesky infestation. See below for some good resources to get this annoyance.
I went back to twitter and some other places to find out what people are saying about this virus and I found this interesting comment:
Conflicker Virus has locked out my work account again…. slightly upsetting it keeps trying to break my account password
According to one blog post, they seem to think this is a test worm trying the waters out to see how well it works. I tend to agree with this blog post because of the unlikely hood of just infecting systems for fun. I also think they are going to use this worm/virus for a Botnet. There have been several post about this being a possible Botnet setup. Acording to Computeworld, They claim this is building a Botnet and I tend to wonder if this was a bad deployment or if they are just reading to start this up after so many computers are infected.
I don’t know what to call the Conflicker a Virus or a Worm. So I’ve decided to just use both. I’ve been telling people to patch there system as soon as possible. I’d also tell people that you need a good AV and a Good Firewall. Although this sometimes won’t prevent you from getting a virus you will undoubtedly need to disable Auto run. Here are some good resources to better help you get this virus off your system:
As you can see there are several different options to help remove this virus and I thought I would list them here. I have heard how hard this virus is to remove and I want to help people remove this virus. Some other things to consider is disabling your restore points before you remove the worm, or it will just come back.
F-secure has noticed it went up from 3,521,230 infections worldwide. This Worm has doubled in over a day. So I have done some twitter searching to see if anyone has recently tweeted about this and I find this one comment:
WTF? suddenly my antivirus is popping with warnings about a W32.Downadup.B … but I havent received any attachs or installed anything!
I’d thought I show you how important it is for you to get ready for a very hard fight ahead of yourselves. You see this hasn’t even begun with this worm.
Here’s are some of the tweets:
2 customers, have this conflicker.worm problem and we are trying every possible solution but nothing turned out to be solved
This worm doesn’t need to be downloaded because it will use exploits that are currently unpatched in the systems . This worm seems to be spreading by USB sticks and you should really turn that off. If you think you’ve gotten this virus, please check out my Malware Resources and also some of the other post about this worm:
I have to talk about this because this is a big deal. According to Techworld and I’ll quote:
“This one scares me – a lot,” says Eric Schultze, CTO of Shavlik Technologies. “It is a lot like Blaster and Sasser. It is the same exploit vector. If I am an attacker and I can touch NetBios then I can execute code with no credentials.”
Now why are they scared of the recent patch (MS 09-001), because of so many vectors of infection, you don’t need any credentials. The virus does not need to know any passwords or user names to gain access. Just like the Downadup variant that is hitting the internet right now, this virus tries to access accounts by guessing weak passwords or even putting itself on flash drives or other mobile media to get other systems infected.
So why are admins scared over this new patch?
Most companies don’t patch there system as quickly as Microsoft would like them to. You see most companies have quite a few computers depending on the size of the company it could be quite a lot. So many in fact that it would have several IT personal just to keep the system going.
So why don’t they just put the new patches on the systems?
Depending on the size of the company and what they do has a lot to do with them updating there systems. Some use really special programs or have a network going that is vital. Even the smallest update to the system could bring the network or the program down. Most companies liketo test it out on test machine for a while to make sure that the patch doesn’t prevent the business from doing business. Here are a few articles that prove why companies do not want to just install patches automatically:
Some companies are using older systems like Windows ME or some older Windows Operating systesm. Although there isn’t anything we can do about those because Microsoft has stopped supporting them with updates and all. I know we are all thinking thesame question?
Is there a way to fix the problem with Windows Updates?
I personally don’t have an answer but I am sure hackers will find ways to exploit codes so they can get on your system so way. I’ve recently read a story about Adware Author and now I understand even more about why people do all of this.
This is one of the questions every admin has to ask themselves? How do we update all of the systems we are responsible for? There are no easy answers to this.
It has been talked about the last few days where there is a worm hitting the computers who haven’t done the Microsoft Update MS08-067 which was release out of cycle and still have some systems has not been patched. It has also been reported that it is spreading around the internet really quickly. According to Computer World:
The worm, which was first reported by Panda and other security companies on Dec. 31, 2008, exploits a vulnerability in the Windows Server service that’s part of all currently supported versions of Microsoft‘s operating system, including Windows 2000, XP, Vista, Server 2003 and Server 2008.
It seems Microsoft has scolded people who haven’t patched for the October emergency update. Accusing users of playing “Russian Roulette“ and scolding them for not promptly updating their system to remove the vulnerability.
Symantec Blogged about this security of this program and how it was a variant of Downadup.b. It also talks about how they are seeing an even more increase on this worm that was supposed to be patched by people who use Windows 2000 Server.
F-secure did a post about Downadup/Conflicker and how they took an Preemptive domain block list for this worm. They have also seen an increase in this worm and they are trying to prevent this worm from gaining ground. Talking about this being a network worm, in more ways then one. Some have even seen it being sent through USB drives. If you have a system you want to protect you should stop autorun.
Here are some links to better help you get this worm off your system:
In order to remove this worm, you must do a complete system scan with any of the free virus scanning programs. You’ll need to update your virus database before you do the scan. You may even want to try the free virus scanners tha are online to get rid of this worm. These should help you get rid of this worm, but you must remember to install the update or you will get the worm again. The MS08-067 Patch should be installed as soon as possible you can find the patch here.
Categories: 2009, Vista, Vulnebilities, WIndows, Windows 7, Windows Update, Windows Vista | 
Tags: April 1 Virus, April Fools, April Fools day, Conflicker, Conflicker.c, Conflicker.d, downadup, Microsoft, Variant, worm | 
No Comments »
