Mal/Conficker-A is a worm for the Windows platform

Status
Not open for further replies.

Bobbye

Posts: 16,313   +36
Mal/Conficker-A Very Active:

How it spreads : * Removable storage devices, * Network shares
Characteristics: * Installs itself in the registry

Does this sound familiar?
Actions: It disables common anti-malware programs and uses DNS modifications to prevent local end-users from surfing to anti-malware-related Web sites (which might be one of the first clues that you're infected). It spreads to mapped file shares and identified removal drives. Once there, it creates a subdirectory folder called Recycler (emulating the Recycle Bin) and places an Autorun.inf file, which may be auto-launched when visited.
Mal/Conficker-A may spreads through Windows file shares protected with weak passwords, by copying itself to removable storage devices and by exploiting the MS08-067 Windows Server service vulnerability.
The Conficker worm's main exploit vector is by buffer overflowing unpatched versions of Windows Server services, which is represented by the Workstation and Server services, and svchost.exe processes
Mal/Conficker-A will attempt to copy itself to the following location:
<System>\<random filename>
(e.g. C:\windows\system32\zdtnx.g)
This file is set up to run as a service, also using a random name, when Windows starts. Mal/Conficker-A modifies permissions on the service registry entries so that they are not visible to the user.
The registry entries added by Mal/Confiker-A are under:
HKLM\SYSTEM\CurrentControlSet\Services\<random service name>

The random service name will also be added to the list of services referenced by:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs
When spreading to removable media Mal/Conficker-A attempts to create the following hidden files:
<Removable Drive Root>\autorun.inf
<Removable Drive Root>\RECYCLER\S-x-x-x-xxx-xxx-xxx-x\<Random Letters>.dll (where x represents a random digit)

If you don't patch, the ever-transforming Conficker malware program could end up testing your security perimeter breach responses.
Emergency Microsoft Patch MS08-067 Issued, Exploit code in wild. The Patch:. Microsoft released the patch on Oct. 2008 to windows update.
The patch can be found here: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Sources and Additional information : Sophos http://www.sophos.com/security/analyses/viruses-and-spyware/malconfickera.html?_log_from=rss
InfoWorld: http://weblog.infoworld.com/securit...r_malwa.html?source=NLC-DAILY&cgd=2009-01-16]
TechNet http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
 
just beautiful

this post should be a MODEL for known infection/resolutions;

in fact (imo), this style and content deserves its own subforum!
 
I think Joebeards idea should go in the site feedback and suggestions (tell me if you do I'll back ya up :))
This should be stickied as well. Really good info Bobbeye :approve:

PS any know fixes yet? I know they got one denied on the grounds that it would be unauthorized use
 
Scary isn't it! Sounds like quite a few of the malware posts here!

I must admit your right. Looking over there seems to be a few signs here and there. Its 3.5 million infected machines up to now, so Fsecure could really use a workaround to help get it sorted
 
The easiest way is to write a script specific to the users random files - I prefer combofix

Afterwards, there is a tool from microsoft to repair the autorun features - the user has to log off their user account then log back in for the changes to take effect :grinthumb
 
Hmm sounds interesting. Were do yo learn to write scripts for combofix etc?

Im guessing you mean like were you put:

File for deleation
File
fileexample.exe

Registrykey
fiwefwn4233yr9r

something like that anyhow :p. Obviousley there isnt a registry key fiwefwn4233yr9r but you know what i mean :p

Sorry if im ruining you post btw bobbye :eek:
 
Over 9 million people are now infected with this...

Did you notice Microsoft released the patch back in October 2008. Goes to show how many unsecured systems are out there.

If you had automatic updates enabled you should have received the patch back then

A good firewall also goes a long way
 
An Update on the Conficker Worm aka Downadup

The morning paper gave some descriptions of this Worm which give real world mean analogies to it's activities:

" If you're looking for a digital Pearl Harbor, we now have the Japanese ships steaming toward us on the horizon." (Rick Wesson, CEO of Support Intelligence)

"I don't know why more people aren't afraid of these programs- this is like having a mole in your organization that can do things like send out any information it finds on machines." (Merrick L. Furst computer scientist at Georgia Tech)

And although Conficker is supposedly a new program, it borrows on earlier work by an Eastern European criminal gang using the idea of "scareware"- warning users of an infection and asking for a credit card number to pay for an antivirus program-bogus of course-which actually further infects the system.

A twist was found in the original version of the program: if the computer had a Ukrainian keyboard, it would not infect the computer!!! (sound like shades of the DNS Changer)

And finally, it has been found that about 30% of Windows-based system remain vulnerable because they have not gotten the patch. (Oct. 2008, Microsoft Security Bulletin MS08-067 – Critical-Vulnerability in Server Service Could Allow Remote Code Execution (958644))

Source: St. Petersburg Times from the NY Times)
 
....Afterwards, there is a tool from microsoft to repair the autorun features - the user has to log off their user account then log back in for the changes to take effect :grinthumb
The vulnerability cited here is one of many. While patched against that exploit, all heck broke loose when I connected a refurbished TomTom navigator to my laptop, and I directed it to update from the internet. ComboFix rescued the laptop and its ability to use DNS, but I need more info about 'autorun', since the Tomtom cannot relink to the internet.

Before repairing the autorun, to my way of thinking, this thread suggests scanning the TomTom for anything that implicates the device rather than the unsecured wifi connection that was used.
 
I am posting this separate as I wanted to stress:

In a network setting, one must take care to isolate infected machines from the other computers on the network while cleaning them, as the machine may be reinfected by other systems not yet cleaned.
 
Status
Not open for further replies.
Back