also @ TechSpot: Exploit allows command prompt to launch at Windows 7 login screen

TechSpot
Register now for a live online demo to see how the Office 365 suite of tools
- professional email, calendars, video conferencing, and file sharing -

Mal/Conficker-A is a worm for the Windows platform

Discussion in 'Virus and Malware Removal' started by Bobbye, Jan 16, 2009.

Thread Status:
Not open for further replies.

  1. Bobbye Helper on the Fringe

    Mal/Conficker-A Very Active:

    How it spreads : * Removable storage devices, * Network shares
    Characteristics: * Installs itself in the registry

    Does this sound familiar?

    If you don't patch, the ever-transforming Conficker malware program could end up testing your security perimeter breach responses.
    Emergency Microsoft Patch MS08-067 Issued, Exploit code in wild. The Patch:. Microsoft released the patch on Oct. 2008 to windows update.
    The patch can be found here: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

    Sources and Additional information : Sophos http://www.sophos.com/security/analyses/viruses-and-spyware/malconfickera.html?_log_from=rss
    InfoWorld: http://weblog.infoworld.com/securit...r_malwa.html?source=NLC-DAILY&cgd=2009-01-16]
    TechNet http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
    Bobbye, Jan 16, 2009
    #1

  2. jobeard TechSpot Ambassador

    just beautiful

    this post should be a MODEL for known infection/resolutions;

    in fact (imo), this style and content deserves its own subforum!
    jobeard, Jan 17, 2009
    #2

  3. rev_olie TechSpot Guru

    I think Joebeards idea should go in the site feedback and suggestions (tell me if you do I'll back ya up :))
    This should be stickied as well. Really good info Bobbeye :approve:

    PS any know fixes yet? I know they got one denied on the grounds that it would be unauthorized use
    rev_olie, Jan 17, 2009
    #3

  4. Bobbye Helper on the Fringe

    Scary isn't it! Sounds like quite a few of the malware posts here!
    Bobbye, Jan 17, 2009
    #4

  5. rev_olie TechSpot Guru

    I must admit your right. Looking over there seems to be a few signs here and there. Its 3.5 million infected machines up to now, so Fsecure could really use a workaround to help get it sorted
    rev_olie, Jan 17, 2009
    #5

  6. Blind Dragon Newcomer, in training

    The easiest way is to write a script specific to the users random files - I prefer combofix

    Afterwards, there is a tool from microsoft to repair the autorun features - the user has to log off their user account then log back in for the changes to take effect :grinthumb
    Blind Dragon, Jan 18, 2009
    #6

  7. rev_olie TechSpot Guru

    Hmm sounds interesting. Were do yo learn to write scripts for combofix etc?

    Im guessing you mean like were you put:

    File for deleation
    File
    fileexample.exe

    Registrykey
    fiwefwn4233yr9r

    something like that anyhow :p. Obviousley there isnt a registry key fiwefwn4233yr9r but you know what i mean :p

    Sorry if im ruining you post btw bobbye :eek:
    rev_olie, Jan 18, 2009
    #7

  8. Blind Dragon Newcomer, in training

    Over 9 million people are now infected with this...

    Did you notice Microsoft released the patch back in October 2008. Goes to show how many unsecured systems are out there.

    If you had automatic updates enabled you should have received the patch back then

    A good firewall also goes a long way
    Blind Dragon, Jan 19, 2009
    #8

  9. Bobbye Helper on the Fringe

    An Update on the Conficker Worm aka Downadup

    The morning paper gave some descriptions of this Worm which give real world mean analogies to it's activities:

    " If you're looking for a digital Pearl Harbor, we now have the Japanese ships steaming toward us on the horizon." (Rick Wesson, CEO of Support Intelligence)

    "I don't know why more people aren't afraid of these programs- this is like having a mole in your organization that can do things like send out any information it finds on machines." (Merrick L. Furst computer scientist at Georgia Tech)

    And although Conficker is supposedly a new program, it borrows on earlier work by an Eastern European criminal gang using the idea of "scareware"- warning users of an infection and asking for a credit card number to pay for an antivirus program-bogus of course-which actually further infects the system.

    A twist was found in the original version of the program: if the computer had a Ukrainian keyboard, it would not infect the computer!!! (sound like shades of the DNS Changer)

    And finally, it has been found that about 30% of Windows-based system remain vulnerable because they have not gotten the patch. (Oct. 2008, Microsoft Security Bulletin MS08-067 – Critical-Vulnerability in Server Service Could Allow Remote Code Execution (958644))

    Source: St. Petersburg Times from the NY Times)
    Bobbye, Jan 23, 2009
    #9

  10. rf6647 Newcomer, in training

    The vulnerability cited here is one of many. While patched against that exploit, all heck broke loose when I connected a refurbished TomTom navigator to my laptop, and I directed it to update from the internet. ComboFix rescued the laptop and its ability to use DNS, but I need more info about 'autorun', since the Tomtom cannot relink to the internet.

    Before repairing the autorun, to my way of thinking, this thread suggests scanning the TomTom for anything that implicates the device rather than the unsecured wifi connection that was used.
    rf6647, Jan 27, 2009
    #10

  11. Blind Dragon Newcomer, in training

    Blind Dragon, Jan 27, 2009
    #11

  12. Blind Dragon Newcomer, in training

    I am posting this separate as I wanted to stress:

    In a network setting, one must take care to isolate infected machines from the other computers on the network while cleaning them, as the machine may be reinfected by other systems not yet cleaned.
    Blind Dragon, Jan 27, 2009
    #12
Thread Status:
Not open for further replies.