Conficker.C, WORM, Serious Threat!!

BlueMonster · Mar 25, 2009

THIS IS NO JOKE!!

Just when you might have thought it was safe to start using USB flash drives at work again, the third, and by all accounts, most fiendish version of the Conficker worm that's infected millions of PCs already is set to attack on April 1st, Ars Technica reports. Conficker.C's designed to hide itself even more thoroughly than its older siblings Conficker.A and Conficker.B, using tricks such as:
•Inserting itself into as many as five Windows-related folders such as System, Movie Maker, Internet Explorer, and others (under a random name, of course)
•Creating access control entries and locking the file(s)
•Registers dummy services using a "one (name) from column A, one from column B, and two from column C" method
To find out what happens when Conficker.C strikes, join us after the jump.
Conficker.C's payload makes it harder than ever to recover from being infected:
•Deactivates Windows Security Center notifications
•Prevents restart in Safe Mode
•Prevents Windows Defender from running at system startup
•Deletes all system restore points
•Disables various error-reporting and security services
•Terminates over twenty security-related processes
•Blocks DNS queries
•Blocks access to security and antivirus websites
•And, to top it all off, Conficker.C can choose from a list of 500 domains to contact out of a pool of 50,000 (way up from Conficker.B's 32 out of 250).

Link:: This is No Joke: Conficker.C to Strike on April Fools' Day | Maximum PC

Removal Tool:: How to use the Downadup removal tools - BDTools.net

+++++++++++++++++++++

I can't say much else, as I don't know much else, though I read about this on another Forum I belong to. I have all my Updates in place as always, ran MS Malware Removal Tool, Ran complete system Scan, my PC turned up clean of
Conflicker A and B as well as C, but then C has not been released as yet.

+++++++++++++++++++++

I do know MS has a bounty out on the individual responsible, $250,000 BUCKS!!

That should give you guys an Idea of how SERIOUS this THREAT is!!

I am not sure about the removal tool either, but that's the only one I found.
Thus far.

JUST A HEADS UP!!! PEOPLE!! :eek:

Blue

Just be AWARE!! :geek:

Google:: http://www.google.com/search?hl=en&q=Conflicker+c+worm&btnG=Google+Search&aq=f&oq=

Airbot · Mar 25, 2009

The monthly updated Microsoft Malicious Software Removal Tool detects and removes the conficker infection, well supposedly.

BlueMonster · Mar 25, 2009

Airbot said:
The monthly updated Microsoft Malicious Software Removal Tool detects and removes the conficker infection, well supposedly.

Well, that's Good to Hear Airbot~

As I said I run Microsoft Malicious Software Removal Tool, always.

as well as other apps. I think I'm a-Okay, but then again, Conficker C

is supposed to be a Whole new Ball game. :sarc:

I'm never sure of anything, these daze!! LOL!! :confused:

Blue

pacinitaly · Mar 25, 2009

BlueMonster said:
THIS IS NO JOKE!!

Just when you might have thought it was safe to start using USB flash drives at work again, the third, and by all accounts, most fiendish version of the Conficker worm that's infected millions of PCs already is set to attack on April 1st, Ars Technica reports. Conficker.C's designed to hide itself even more thoroughly than its older siblings Conficker.A and Conficker.B, using tricks such as:
•Inserting itself into as many as five Windows-related folders such as System, Movie Maker, Internet Explorer, and others (under a random name, of course)
•Creating access control entries and locking the file(s)
•Registers dummy services using a "one (name) from column A, one from column B, and two from column C" method
To find out what happens when Conficker.C strikes, join us after the jump.
Conficker.C's payload makes it harder than ever to recover from being infected:
•Deactivates Windows Security Center notifications
•Prevents restart in Safe Mode
•Prevents Windows Defender from running at system startup
•Deletes all system restore points
•Disables various error-reporting and security services
•Terminates over twenty security-related processes
•Blocks DNS queries
•Blocks access to security and antivirus websites
•And, to top it all off, Conficker.C can choose from a list of 500 domains to contact out of a pool of 50,000 (way up from Conficker.B's 32 out of 250).

Link:: This is No Joke: Conficker.C to Strike on April Fools' Day | Maximum PC

Removal Tool:: How to use the Downadup removal tools - BDTools.net

+++++++++++++++++++++

I can't say much else, as I don't know much else, though I read about this on another Forum I belong to. I have all my Updates in place as always, ran MS Malware Removal Tool, Ran complete system Scan, my PC turned up clean of
Conflicker A and B as well as C, but then C has not been released as yet.

+++++++++++++++++++++

I do know MS has a bounty out on the individual responsible, $250,000 BUCKS!!

That should give you guys an Idea of how SERIOUS this THREAT is!!

I am not sure about the removal tool either, but that's the only one I found.
Thus far.

JUST A HEADS UP!!! PEOPLE!! :eek:

Blue

Just be AWARE!!

Google:: Conflicker c worm - Google Search=

Holy craaaaaaaaaaaaap

sulu, all shields up

love2009 · Mar 25, 2009

Beware Conficker worm come April 1????

Beware Conficker worm come April 1 : Christopher Null : Yahoo! Tech

Has anyone heard about this???

dinesh · Mar 25, 2009

April 1st Fools Day Time Bomb – Win32/Conficker.C Virus

Introduction:-

Worm Downadup Win32/Conficker.C target large scale attack on 1 April. Worm Downadup Win32/Conficker.C as variants to 3, has the ability memblock some website security system, turning off the security system of Windows components and download the file at random to lead the web to a particular site.
When the Worm Downadup Win32/Conficker.C downloaded and activated by accident on the computer. The worm will copy itself to create a random file name in the Windows System. Worm sometimes release some of the file that is input into the program directory.
Worm Downadup Win32/Conficker.C will be active each time the computer is turned on, because it can be registered from the list of programs that should be active when the computer starts is enabled.
Computer Worm infected Downadup Win32/Conficker.C, directly taking some steps such as turning off the antivirus update system.

Worm will turn off service from Windows:
* wscsvc - Security Center
* WinDefend Windows Defender (Vista)
* wuauserv - Automatic Updates
* BITS - Background Intelligent Transfer Service
* ERSvc - Error Reporting Service
* WerSvc - Windows Error Reporting Service (Vista)

Worm also turn off system restore point, if your computer does not have a system restore then there is the possibility computer has been infected Downadup.

The new version is more resilient to disinfection. Once the system is compromised, the worm disables Windows Update and blocks access to most of the anti-virus websites in order to hinder the user to disinfect his machine.

Fixes :-

Perform Online scan from http://saftey.live.com
MS KB Need to get the MS08-67 update immediately
Antivirus Definition Updates
Strong Network Password Mechanism !!!

Extensa · Mar 26, 2009

Virus to erupt in PCs April 1

Invader may be hiding in your hard drive

By Nick Lewis, Calgary Herald March 25, 2009

It's a malicious virus that could attack computers on April Fool's Day, and it's no laughing matter to the millions of people who could be affected.
The Conficker C Internet worm is a brand-new, sophisticated computer virus that latches onto Windows PCs via unreliable websites and infected downloads. It exploits weaknesses in Microsoft's operating system and conceals itself on a hard drive, laying dormant until April 1 when it will "call home" and search for new instructions from its originator, say Internet experts.
While hundreds of computer viruses have been unleashed and eliminated since the 1980s, what's scary about Conficker C is that no one knows what it does or what it intends to do. It may prove to be the world's biggest April Fool's joke, or it could have the potential to take over your machine and steal all your personal data.
"Somebody thinks this is funny, but we certainly don't," says Byron Holland, president and CEO of the Canadian Internet Registration Authority.
Launched in October, the worm works in two stages, the second of which is expected to commence on April 1.
"The first stage is to go out and infect as many unprotected computers as possible,"Holland says. "The next stage is for that whole network of computers, what we called a'botnet,' to try to reach out and communicate with a centralized command and control centre which will give it some direction."
To hide its tracks, the worm creates a list of tens of thousands of domain names, any of which could become a command and control centre.
"By creating that large list, it makes it harder for those of us in the security community to really isolate the command and control centre,"Holland says. "We don't know who's behind it and as a result, we don't know their intent."
Once a computer is infected with Conficker, it can be controlled by the creator of the worm. The infected computers are used to send spam to millions of other Internet users or to directly send the virus to other computers. The infected computers form a botnet, and this network can then be used to gather personal information--anything from your personal browsing history to your credit card numbers.
"There's some claims that it could be a pretty serious worm," says Stu-art Crawford, VP at Calgary-based IT firm, Bulletproof InfoTech. "It could call home and install something potentially serious.Or it could all be a dark April Fool's joke just to leave everyone on edge. We have no idea."
Because this worm wiggles across the World Wide Web, Calgary's PC users are just as at risk as any others.
"Because of the connected, global world we live in, no computer user anywhere is any more or less susceptible to these viruses,"Crawford says. "They may originate in one area, but it doesn't take long to spread via the Internet."
The program does not infect Macintosh or Linux-based computers. An estimated 12 million Windowsbased PCs around the world are already hosting the worm since its launch in October. Microsoft has since offered a $250,000 reward for any information leading to the capture of the worm's originator.

"Every system has their vulnerabilities, but people write viruses to attack Microsoft systems because they have 90 per cent of the market share, giving any virus a more dam-aging effect,"Crawford says. "Why bother writing software when it affects only a niche audience?"
While in its early stages it was possible to identify and erase the Conficker worm with commercially available antivirus tools. Conficker C, its third and latest version, supposedly removes those preventive programs and turns off Microsoft's security update service.
The program also opens holes in firewalls in an attempt to improve communication with other infected computers. Pirated versions of the Windows operating system, many of which are in use in the developing world, are especially at risk.
"This is a smart worm," says Holland. " We worked with our international colleagues to reverse-engineer the code, that's how we know when it will be deployed as well as what domains it will be hitting.
"Fundamentally, the challenge lies with unprotected computers, computers that either have older or out-of-date operating systems that are not updated, or pirated versions of the operating system that don't get updated."
The good news for PC users running retail versions of Windows is that the virus is preventable with a downloadable security patch from Microsoft.
Crawford, who has 15 years of experience in information technology, says now is the time to update and protect your PC.
"Most people get that annoying message that pops up asking them to update their antivirus software, and they dismiss it and never get around to it,"he says. "If the patches haven't been applied, your vulnerability is much greater."
If you'd like to download the latest Microsoft patch to protect your Windows- based machine, visit technet. microsoft.com.For more information on the ConfickerCvirus, visit Bulletproofitblog.ca
© Copyright (c) The Calgary Herald

This is from the local newspaper. Sounds like another event that is largely blown out of proportion by the media industry *Sigh*.

dk70 · Mar 26, 2009

Yeah it is a bit dissapointing that you can avoid by simply keeping stuff updated. Those with patched Windows have no fun.

pacinitaly · Mar 26, 2009

Does this mean I may have the virus on my hard drive now? :shock:

Check this, I have 171,879 files on my system.
I sorted them by date and checked if any are out of the ordinary...none seem to be except the attached jpeg.

I have all the protection available, can the worm still be there? :sick:

Carmine

echrada · Mar 26, 2009

Final countdown to Conficker 'activation' begins

T-minus six
By John Leyden • Get more from this author
Posted in Anti-Virus, 26th March 2009 13:46 GMT

Security watchers are counting down to a change in how the infamous Conficker (Downadup) worm updates malicious code, due to kick in on Wednesday 1 April.
Starting on 1 April, Windows PCs infected by the latest variant of the Conficker worm (Conficker-C) will start attempting to contact a sample of 50,000 pre-programmed potential call-home web servers from which they might receive updates, a massive increase on the 250 potential web server locales used by earlier variants of the code.

http://ad.uk.doubleclick.net/jump/r...ve=d;sz=336x280;ord=JLNVvNRk6j0AAFfK-LsAAADu?
"Conficker-C isn't going to contact all 50,000 domains per day," explained Niall Fitzgibbon, a malware analyst at Sophos. "It's only going to contact a randomly-chosen 500 of them which gives each infected machine a very small chance of success if the authors register only one domain. However, the P2P system of Conficker can be used to push digitally signed updates out to other infected machines that don't manage to contact the domain.

Final countdown to Conficker 'activation' begins â€¢ The Register

love2009 · Mar 26, 2009

I windows defender and windows live one care for anti virus is there something else I should be using instead or should they be fine?

Just wondering

Thanks

~CJ~

dk70 · Mar 28, 2009

No reason to be alarmed unless OS is not updated, like in this case House of Commons network hit by Conficker computer worm | Technology | guardian.co.uk Such stories can make you cry and laugh at the same time. Not like they were not warned.

Btw, if you mainly bought OneCare for Antivirus protection or that is what you actually use, then you should probably not extend. MS release free AV this summer. Dont think it is fixed yet.

BlueMonster · Mar 28, 2009

dk70 said:
No reason to be alarmed unless OS is not updated, like in this case House of Commons network hit by Conficker computer worm | Technology | guardian.co.uk Such stories can make you cry and laugh at the same time. Not like they were not warned.

Btw, if you mainly bought OneCare for Antivirus protection or that is what you actually use, then you should probably not extend. MS release free AV this summer. Dont think it is fixed yet.

DK~

I always feel better when I read your posts about Conficker C. As I'm all up to date. Etc. Northing's broken that I'm aware of, I might go into OFF-LINE mode on April 1st though. LOL!! Just to be sure!! Not that, that would help any

:D

Blue

dk70 · Mar 28, 2009

There will be other scams around that day, be sure of that. Like Valentines day where sites offering pretty ecards and stuff pops up - as does trojans etc.

jay817 · Mar 28, 2009

a college near me had this and had a 41% infection rate p.cs and servers
this is not including memory sticks that got infected.
there is now a requirement if you have sued you memory stick there to have it cleaned by the technicians (using Linux ubuntu to stop infection regaining and avast)finding out if the pc could acess sercutiy site was a god way to checking a p.c
some of the stuff the virus caused where clogging the print pool and locking people out of the network

dk70 · Mar 28, 2009

So that sucks but what differs Admins of that college network to whoevers aunt stupidly clicking on everything moving?

Unless Ive misunderstood Conficker the cool thing is you can blaim people - and some deserve it. Being Admin means you are responsible for making strategies protecting against these type of infections, why there are Admins and why they are paid... Some fail.

How will they look when this strikes http://www.donationcoder.com/Forums/bb/index.php?topic=17583.msg157226;topicseen#msg157226 http://www.donationcoder.com/Forums/bb/index.php?topic=17583.0 - if not a hoax of course.

love2009 · Mar 28, 2009

dk70 said:
No reason to be alarmed unless OS is not updated, like in this case House of Commons network hit by Conficker computer worm | Technology | guardian.co.uk Such stories can make you cry and laugh at the same time. Not like they were not warned.

Btw, if you mainly bought OneCare for Antivirus protection or that is what you actually use, then you should probably not extend. MS release free AV this summer. Dont think it is fixed yet.

Thanks dk thankfully my os is all updated.

~CJ~

jay817 · Mar 28, 2009

I think the admins can be blamed to an extent as using a diagnostic tool on the pc found 50 updates that had not been applied this was going back a few weeks now (no excuse as this can be done remotely)

I dont think i will be using public access points now (including the pay for use ones)

Conficker.C, WORM, Serious Threat!!

Uber PC Nut Case

My Computer

---------------

My Computer

Uber PC Nut Case

My Computer

HappyGuru Lovin2Help

My Computer

New Member

My Computer

Vista Expert

My Computer

Pusher of Buttons

My Computer

Member

My Computer

HappyGuru Lovin2Help

My Computer

My Computer

New Member

My Computer

Member

My Computer

Uber PC Nut Case

My Computer

Member

My Computer

My Computer

Member

My Computer

New Member

My Computer

My Computer