Home » , » "Conficker" or "Downadup" Virus Removal and Protection

"Conficker" or "Downadup" Virus Removal and Protection

Written By David D'Angelo on Friday, February 13, 2009 | 2/13/2009

Tech Guide It's Friday (TGIF): Microsoft had recently offered $250,000 for the identification and capture of those who are behind the now spreading Conficker or Downadup worm virus. The virus threatens massive lock-out of systems due to its password cracking capabilities and unique spreading techniques. How do you protect yourself from it or remove it? Read the information below which was supplied by Microsoft.com

About Conficker

On October 23, 2008, Microsoft released a critical security update, MS08-067, to resolve a vulnerability in the Server service of Windows that, at the time of release, was facing targeted, limited attack. The vulnerability could allow an anonymous attacker to successfully take full control of a vulnerable system through a network-based attack, the sort of vectors typically associated with network "worms." Since the release of MS08-067, the Microsoft Malware Protection Center (MMPC) has identified two variants of Win32/Conficker in the wild to date:
  • Worm:Win32/Conficker.A: identified by the Microsoft Malware Protection Center (MMPC) on November 21, 2008
  • Worm:Win32/Conficker.B: identified by the Microsoft Malware Protection Center (MMPC) on December 29, 2008

Conficker Timeline

On November 21, 2008 the Microsoft Malware Protection Center (MMPC) identified Worm:Win32/Conficker.A. This worm seeks to propagate itself by exploiting the vulnerability addressed in MS08-067 through network-based attacks. The MMPC added signatures and detection to Microsoft ForeFront, Microsoft OneCare, and the Windows Live OneCare Safety Scanner on the same day.

On November 25, 2008 the Microsoft Malware Protection Center (MMPC) communicated information about Worm:Win32/Conficker.A through their weblog.

On December 29, 2008 the Microsoft Malware Protection Center (MMPC) identified the second variant, Worm:Win32/Conficker.B, and added signatures and detection to Microsoft ForeFront, Microsoft OneCare, and the Windows Live OneCare Safety Scanner on the same day. Worm:Win32/Conficker.B seeks to propagate itself by:
  1. Infecting vulnerable systems by exploiting the vulnerability addressed in MS08-067 through network-based attacks.
  2. Copying itself to the ADMIN$\System32 folder on the target machine and schedules a task to execute this file daily. It first tries to use the credentials of the logged-on user, which might work well in environments where the same user account is used for different computers on the network, and as long as that account has administrative rights. If that fails, it tries a different method: it obtains a list of user accounts on the target machine and attempts to connect using each user name and a list of weak passwords (examples: "1234", "password", or "student"). If one of these combinations work and that account has write permissions, it copies itself to the ADMIN$ folder.
  3. Copying itself to removable media such as USB drives and other portable storage using the AutoPlay feature to launch itself.

NOTE: The second and third attack vectors listed above do not utilize the vulnerability addressed by MS08-067. Therefore, it is possible for these vectors to be successful against systems that have applied the security update associated with MS08-067.

On December 31, 2008, the Microsoft Malware Protection Center (MMPC) communicated information about Worm:Win32/Conficker.B through their weblog.

On January 13, 2009, the Microsoft Malware Protection Center (MMPC) included the ability to remove both Worm:Win32/Conficker.A and Worm:Win32/Conficker.B to the January 2009 release of the Windows Malicious Software Removal Tool (MSRT) and communicated information about this through their weblog.

On January 22, 2009, the Microsoft Malware Protection Center (MMPC) provided consolidated technical information about the Worm:Win32/Conficker.B on their weblog.

Protecting PCs from Conficker

Apply the security update associated with MS08-067. View the security bulletin for more information about the vulnerability, affected software, detection and deployment tools and guidance, and security update deployment information.
Make sure you are running up-to-date antivirus software from a trusted vendor, such as Microsoft's Forefront Client Security or Windows Live OneCare. Antivirus software may also be obtained from trusted third-parties such as the members of the

Virus Information Alliance.

Isolate "unpatched" or legacy systems using the methods outlined in the Microsoft Windows NT 4.0 and Windows 98 Threat Mitigation Guide.
Implement strong passwords as outlined in the Creating a Strong Password Policy whitepaper.

Disable the AutoPlay feature through the registry or using Group Policies as discussed in Microsoft Knowledge Base Article 953252.

NOTE: Windows 2000, Windows XP, and Windows Server 2003 customers must deploy the update associated with Microsoft Knowledge Base Article 953252 to be able to successfully disable the AutoRun feature. Windows Vista and Windows Server 2008 customers must deploy the security update associated with Microsoft Security Bulletin MS08-038 to be able to successfully disable the AutoRun feature.

Cleaning Systems of Conficker

Manually download MSRT on to uninfected PCs and deploy to infected PCs to automatically clean infected systems.

NOTE: Additional information on deploying MSRT in an enterprise environment can be found at Microsoft Knowledge Base Article 891716.

Customers who cannot use the MSRT in their environment can also refer to Microsoft Knowledge Base Article 962007 for information on how to remove Worm:Win32/Conficker.B manually.

For more information please VISIT THIS LINK.


Also Visit My Other Blogs
| Pagod Ka Na Bang Maging si Juan? | Ordinary People, Ordinary Day |


0 comments: