Bobbye
Posts: 16,313 +36
Mal/Conficker-A Very Active:
How it spreads : * Removable storage devices, * Network shares
Characteristics: * Installs itself in the registry
Does this sound familiar?
If you don't patch, the ever-transforming Conficker malware program could end up testing your security perimeter breach responses.
Emergency Microsoft Patch MS08-067 Issued, Exploit code in wild. The Patch:. Microsoft released the patch on Oct. 2008 to windows update.
The patch can be found here: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
Sources and Additional information : Sophos http://www.sophos.com/security/analyses/viruses-and-spyware/malconfickera.html?_log_from=rss
InfoWorld: http://weblog.infoworld.com/securit...r_malwa.html?source=NLC-DAILY&cgd=2009-01-16]
TechNet http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
How it spreads : * Removable storage devices, * Network shares
Characteristics: * Installs itself in the registry
Does this sound familiar?
Actions: It disables common anti-malware programs and uses DNS modifications to prevent local end-users from surfing to anti-malware-related Web sites (which might be one of the first clues that you're infected). It spreads to mapped file shares and identified removal drives. Once there, it creates a subdirectory folder called Recycler (emulating the Recycle Bin) and places an Autorun.inf file, which may be auto-launched when visited.
Mal/Conficker-A may spreads through Windows file shares protected with weak passwords, by copying itself to removable storage devices and by exploiting the MS08-067 Windows Server service vulnerability.
The Conficker worm's main exploit vector is by buffer overflowing unpatched versions of Windows Server services, which is represented by the Workstation and Server services, and svchost.exe processes
Mal/Conficker-A will attempt to copy itself to the following location:
<System>\<random filename>
(e.g. C:\windows\system32\zdtnx.g)
This file is set up to run as a service, also using a random name, when Windows starts. Mal/Conficker-A modifies permissions on the service registry entries so that they are not visible to the user.
The registry entries added by Mal/Confiker-A are under:
HKLM\SYSTEM\CurrentControlSet\Services\<random service name>
The random service name will also be added to the list of services referenced by:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs
When spreading to removable media Mal/Conficker-A attempts to create the following hidden files:
<Removable Drive Root>\autorun.inf
<Removable Drive Root>\RECYCLER\S-x-x-x-xxx-xxx-xxx-x\<Random Letters>.dll (where x represents a random digit)
If you don't patch, the ever-transforming Conficker malware program could end up testing your security perimeter breach responses.
Emergency Microsoft Patch MS08-067 Issued, Exploit code in wild. The Patch:. Microsoft released the patch on Oct. 2008 to windows update.
The patch can be found here: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
Sources and Additional information : Sophos http://www.sophos.com/security/analyses/viruses-and-spyware/malconfickera.html?_log_from=rss
InfoWorld: http://weblog.infoworld.com/securit...r_malwa.html?source=NLC-DAILY&cgd=2009-01-16]
TechNet http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx