And the award for "Best April Fool’s Day joke" for the year 2009 has to go to this whole Conficker worm scare. It seems that everyone was panicking for nothing, no doomsday, no end of the world…*sigh* kind of a let down actually.



http://hardocp.com/news.html?news=Mzg3NDIsLCxoZW50aHVzaWFzdCwsLDE=

General Methods of propagation:

• Local network

• Mapped network drives





Aliases:

• Symantec: W32.Downadup.B

• Kaspersky: Net-Worm.Win32.Kido.fw

• F-Secure: Worm:W32/Downadup.gen!A

• Sophos: Mal/Conficker-A

• Panda: Trj/Downloader.MDW

• Grisoft: I-Worm/Generic.CJY

• Eset: a variant of Win32/Conficker.AE worm

• Bitdefender: Win32.Worm.Downadup.Gen



Similar detection:

• Worm/Kido





Platforms / OS:

• Windows 95

• Windows 98

• Windows 98 SE

• Windows NT

• Windows ME

• Windows 2000

• Windows XP

• Windows 2003





Side effects:

• Registry modification

• Makes use of software vulnerability

• Third party control



Files It copies itself to the following locations:

• %all shared folders% \RECYCLER\S-%number%\%random character string%.vmx

• %ProgramFiles%\Internet Explorer\%random character string%.dll

• %ProgramFiles%\Movie Maker\%random character string%.dll

• %System%\%random character string%.dll

• %Temp%\%random character string%.dll

• %ALLUSERSPROFILE%\Application Data\%random character string%.dll







The following file is created:



– %all shared folders%\autorun.inf This is a non malicious text file with the following content:

• %random comments%

shellexecute rundll32.exe %paths and filenames of malware copies%,%random character string%

%random comments%



Registry The following registry keys are added in order to load the service after reboot:



– HKLM\SYSTEM\CurrentControlSet\Services\%random words%\

Parameters\

• ServiceDll" = "%paths and filenames of malware copies%"



– HKLM\SYSTEM\CurrentControlSet\Services\%random words%\

• "ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs

"Type" = "4"

"Start" = "4"

"ErrorControl" = "4"







The following registry keys are changed:



– [HKLM\SYSTEM\CurrentControlSet\Services\wscsvc]

Old value:

• "Start"=dword:00000003

New value:

• "Start"=dword:00000004



– [HKLM\SYSTEM\CurrentControlSet\Services\wuauserv]

Old value:

• "Start"=dword:00000003

New value:

• "Start"=dword:00000004



– [HKLM\SYSTEM\CurrentControlSet\Services\BITS]

Old value:

• "Start"=dword:00000003

New value:

• "Start"=dword:00000004



– [HKLM\SYSTEM\CurrentControlSet\Services\ERSvc]

Old value:

• "Start"=dword:00000003

New value:

• "Start"=dword:00000004



– HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

New value:

• "Hidden"=dword:00000002

"ShowCompColor"=dword:00000001

"HideFileExt"=dword:00000000

"DontPrettyPath"=dword:00000000

"ShowInfoTip"=dword:00000001

"HideIcons"=dword:00000000

"MapNetDrvBtn"=dword:00000000

"WebView"=dword:00000000

"Filter"=dword:00000000

"SuperHidden"=dword:00000000

"SeparateProcess"=dword:00000000



Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.





IP address generation:

It creates random IP addresses while it keeps the first three octets from its own address. Afterwards it tries to establish a connection with the created addresses.





Infection process:

It makes the compromised machine download the malware from the infected source computer.

The downloaded file is stored on the compromised machine as: .\RECYCLER\S-%number%\%random character string%.vmx



Hosts – Access to the following domains is effectively blocked:

• ahnlab; arcabit; avast; avg.; avira; avp.; bit9.; ca.; castlecops;

centralcommand; cert.; clamav; comodo; computerassociates; cpsecure;

defender; drweb; emsisoft; esafe; eset; etrust; ewido; f-prot;

f-secure; fortinet; gdata; grisoft; hacksoft; hauri; ikarus; jotti;

k7computing; kaspersky; malware; mcafee; microsoft; nai.;

networkassociates; nod32; norman; norton; panda; pctools; prevx;

quickheal; rising; rootkit; sans.; securecomputing; sophos; spamhaus;

spyware; sunbelt; symantec; threatexpert; trendmicro; vet.; virus;

wilderssecurity; windowsupdate





Miscellaneous Internet connection:

In order to check for its internet connection the following DNS servers are contacted:

• http://www.getmyip.org

• http://www.whatsmyipaddress.com

• http://getmyip.co.uk

• http://checkip.dyndns.org





Checks for an internet connection by contacting the following web sites:

• baidu.com; google.com; yahoo.com; msn.com; ask.com; w3.org; aol.com;

cnn.com; ebay.com; msn.com; myspace.com





File patching:

In order to increase the number of maximum connections it has the capability to modify the tcpip.sys. It may result in a corruption of that file and break network connectivity.



Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.





Method used:

I thought about that, but then I considered this :



Of course turning off your internet would stop them from releasing your information, but that doesn't stop you from having the virus. You either have it or you don't.



Also, if you turned off your computer at midnight for the next 24 hours, the virus is still active... So that wouldn't do any good since as soon as you turned on your internet it would end with the same result.





At 11:59, I'm shutting off my internet and running an over night scan just to be sure... I advise that you do the same.

Not copypasting lala. ;D



According to what I've read, if you turn off your internet/computer, it'll just function the next you turn your computer/internet on. If you're infected already, you can't stop by turning off your computer.



Well, some/most are from the internet, but this one comes from infected flash drives. It pretends to be Autorun. D:

Conficker is a virus that started spreading in 2008. It will search for "new instructions" on april 1st. The exploit it used is patched now, you cannot get it anymore unless your computer is not patched (update.microsoft.com to download patches). Simply run an UP TO DATE antivirus scanner, and the virus will be found and removed.



If you have a Mac you are immune.

If you run Linux you are immune.

Phones, PDAs, iPods, etc. are immune.

It is not necessary to unplug your computer or internet.



Some more information can be found here:

http://support.microsoft.com/kb/962007 (info)

http://en.wikipedia.org/wiki/Conficker (info)

only way is to have the update that came out in oct of 2008 read on What Happens on April 1, 2009?









Computers previously infected with the Conficker worm will begin to use specially crafted instructions to contact web domains owned by the attackers with the intent to find ways to spread (worm) Conficker to other computers to infect.





What does the Conficker worm do?









We don’t know the purpose of the Conficker worm. We have evidence that the creators of the worm can connect to an infected computer to remotely install software and possibly steal information. What will that software do? Most likely the worm will be used to create a botnet that will be “rented” out to criminals who want to send SPAM, steal IDs and direct users to online scams and phishing sites.



The Conficker worm mostly spreads across networks. If it finds a vulnerable computer, it turns off the automatic backup service, deletes previous restore points, disables many security services, blocks access to a number of security web sites and opens infected machines to receive additional programs from the malware’s creator. The worm then tries to spread itself to other computers on the same network.









How does the worm infect a computer?





Conficker, also known as the Downadup worm, tries to take advantage of a problem with Windows (a vulnerability) called MS08-067 to quietly install itself. Users who automatically receive updates from Microsoft are already protected from this. The worm also tries to spread by copying itself into shared folders on networks and by infecting USB devices such as memory sticks.





Who is at risk?











Users whose computers are not fully patched and receiving updates from GDIT’s System Management agent (SCCM) or directly from Microsoft and who are not running an up to date antivirus product are most at risk.





Ensure your Symantec Antivirus is up-to-date and actively running.





1. Your Symantec Antivirus program should be configured to receive updated signatures that have the latest information to identify and prevent th <> e variant of the worm from running on your computer. Please follow these instructions to help determine if your Symantec AV program is up-to-date (you must be connected to the Internet):



1. From your computer, open the Symantec AV console (from the system tray double-click the yellow, PC mouse-looking icon). The icon looks like this: cid:image001.jpg@01C9B1EC.32543F30



2. Check the Program Versions section, the Scan Engine should be 81.3.0.13



3. If the Scan Version is not at this level then call the GDIT IT Service Desk and Support for assistance



4. Next, check your Virus Definitions File section, the version should be at a minimum of 3/29/2009 rev. 3



5. If the version is not current then click the LIveUpdate button à Click the Next button --> It will go out to Symantec's website and automatically download the latest version



6. If your system is prevented (confirm that you have Internet access) from accessing the Symantec website call IT Service Desk and Support immediately for assistance.



7. From the pull-down menu, choose Scan and select Full Scan. Click the Scan button and allow Symantec to perform a complete scan.



8. If Symantec finds a virus please contact the IT Service Desk and Support for assistance.



To reiterate, if your computer does not have the latest Program Version or Virus Definitions or it is prevented from accessing the Symantec website to receive the latest signatures please contact the IT Service Desk and Support and immediately.





Advice to Stay Safe from the Downadup Worm:





* Periodically check the Symantec AV console to ensure you are receiving Program and Virus Definitions and they are not out of date.



* Keep your computer updated with the latest patches. This includes Microsoft Operating and Office updates (every 2nd Tuesday of every Month), and Adobe Flash Player, Acrobat and Reader programs, If you don’t know how to do this contact IT Service Desk and Support to assist you.



* Don’t use “free” security scans that pop up on many web sites. All too often these are fake, using scare tactics to try to get you to purchase their “full” service. In many cases these are actually infecting you while they run. There is reason to believe that the creators of the Conficker worm are associated with some of these fake security products.



* Be smart with your passwords. This includes



o Change your passwords periodically as per GDIT Policy



o Use complex passwords – no simple names or words, use special characters and numbers



Contact Information:







IT Service Desk: http://servicedesk.gdit.com/



IT Expanded Support Line: local to Massachusetts.: 781-455-5020,



Long Distance: 800-663-8315







* GDIT Information Security Risk Manager:

What do you mean, human friend? No computer is in danger from the conficker virus. Turn off your firewalls at the specified time to see how much of a human hoax this is.

since is gonna be release on april one people say is and april fools prank