Conflicker C Computer Virus – Infect Your Friends And Enemies

Comments From Norton & McAfee On Conficker C 

This update from Symantec:

Worried about the Conficker worm striking on April 1st? A few simple steps can protect you.

Target: All users of Windows XP and Windows Vista.

If you’re worried about the Conficker worm striking on April 1st, don’t be.

On April 1st the Conficker worm will simply start taking more steps to protect itself. Beginning on April 1st the worm will use a communications system that is more difficult for security researchers to interrupt.

The Conficker worm, sometimes called Downadup or Kido has managed to infect a large number of computers. Specifics are hard to come by, but some researchers estimate that millions of computers have been infected with this threat since January. Current users of Symantec’s Norton security products are protected. Users who lack protection are invited to download a trial version of Norton AntiVirus 2009,Norton Internet Security 2009 or Norton 360 Version 3.0. If you are unable to reach our web site, you may be infected. In that case you will need to get to a computer that is not infected, download our specialized Conficker removal tool and run it on the infected machine before installing new antivirus software. Symantec has a detailed technical analysis of the threat here.

CBS correspondent Leslie Stahl met with Steve Trilling, Symantec’s VP of Security Technology and Response, to talk about the impact of Conficker worm.

The video is currently unavailable. Click here to read the transcript. <!–Watch CBS correspondent Leslie Stahl talk to Steve Trilling, Symantec VP Security Technology & Response, on 60 Minutes about the impact of the Conficker worm.

Watch CBS Videos Online–>

What does the Conficker worm do?

The Conficker worm has created secure infrastructure for cybercrime. The worm allows its creators to remotely install software on infected machines. What will that software do? We don’t know. Most likely the worm will be used to create a botnet that will be rented out to criminals who want to send SPAM, steal IDs and direct users to online scams and phishing sites.

The Conficker worm mostly spreads across networks. If it finds a vulnerable computer, it turns off the automatic backup service, deletes previous restore points, disables many security services, blocks access to a number of security web sites and opens infected machines to receive additional programs from the malware’s creator. The worm then tries to spread itself to other computers on the same network.

How does the worm infect a computer?

The Downadup worm tries to take advantage of a problem with Windows (a vulnerability) called MS08-067 to quietly install itself. Users who automatically receive updates from Microsoft are already protected from this. The worm also tries to spread by copying itself into shared folders on networks and by infecting USB devices such as memory sticks.

Who is at risk?

Users whose computers are not configured to receive patches and updates from Microsoft and who are not running an up to date antivirus product are most at risk. Users who do not have a genuine version of Windows from Microsoft are most at risk since pirated system usually cannot get Microsoft updates and patches.

What to do if you are infected

If you are reading this page, your computer is probably not infected with Conficker as the worm blocks access to most security web sites.

If you have a computer that is infected, you will need to use an uninfected computer to download a specialized Conficker removal tool from. The tool is available here.

Advice to Stay Safe from the Downadup Worm:

  1. Run a good security suite (we are partial to Norton Internet Security 2009 and Norton 360 Version 3.0).
  2. Keep your computer updated with the latest patches. If you don’t know how to do this, have someone help you set your system to update itself.
  3. Don’t use “free” security scans that pop up on many web sites. All too often these are fake, using scare tactics to try to get you to purchase their “full” service. In many cases these are actually infecting you while they run. There is reason to believe that the creators of the Conficker worm are associated with some of these fake security products.
  4. Turn off the “autorun” feature that will automatically run programs found on memory sticks and other USB devices.
  5. Be smart with your passwords. This includes
  1. Change your passwords periodically
  2. Use complex passwords – no simple names or words, use special characters and numbers
  3. Using a separate, longer password for each site that has sensitive personal information or access to your bank accounts or credit cards.
  1. Use a passwords management system such as Identity Safe (included in Norton Internet Security 2009 and Norton 360 Version 3.0) to track your passwords and to fill out forms automatically.
  2. Run Norton Internet Security 2009, Norton AntiVirus 2009 or Norton 360 Version 3.0. You can also try Norton Security Scan.


Q: What should I do if my PC is infected?

A: If you have a computer that is infected, you will need to use an uninfected computer to download a specialized Conficker removal tool from. The tool is available here.

Q: Am I safe if I don’t go to questionable web sites?

A: No. The Conficker worm seeks out computers on the same network. You can be in a coffee shop, an airport or in the office and the worm will quietly try to attach to your computer and run itself.

Q: How do I know if I am infected?

A: The best way to know if you are infected is to run a good antivirus product. One symptom that may indicate you are infected is finding that your computer is blocked from accessing the web sites of most security companies.

Q: Can’t I just run free antivirus software?

A: Yes, but free products often aren’t thorough or comprehensive. Worse, the internet is overflowing with fake free security scanners that actually infect your computer. Fake scanners such as “Antivirus 2008” are difficult to identify and have plagued hundreds of thousands of users around the world.

Norton Recommends

Run Norton Internet Security 2009, Norton AntiVirus 2009 or Norton 360 Version 3.0. All of these products will detect and remove the Downadup worm.

You can also exchange ideas and developments on Downadup at the Norton Forums. Detailed blogs on Downadup and other malicious programs can be found on Symantec’s Malware Blog.


Parental Controls

  • Provides password protected control profiles for adult, teen, and child
  • Offers pre-defined standard profiles that are customizable for the individual user.
  • Blocks inappropriate websites based on user control profile settings.
  • Logs attempts to access blocked websites.

Confidential Information Blocking

  • Blocks sensitive information (identified as confidential) from inadvertent transfer out of your computer.


This From McAfee:

Identifying and removing Conficker

There’s been a lot of talk about how Conficker is going to create havoc on April 1. Conficker, formally named W32/Conficker.worm, began infecting systems at the end of 2008 by exploiting a vulnerability in Microsoft Windows. Since then McAfee has seen two more variants of this worm and many binaries – files ready to load into memory and execute – that carry the worm’s malicious payload. Conficker.C is the latest variant. Its “call-home protocol” will change on Wednesday, April 1, and may entail an update with some as-yet unknown functionality.

McAfee already offers protection from the Conficker worm in its endpoint and network products, and Microsoft has issued a security patch for the vulnerability that the Conficker family has used to propagate. Yet many computer users continue to worry about infection. The information below will help you understand more about the worm, the steps you can take to clean an infected system, and measures to prevent reinfection.

What is the Conficker worm?

Conficker.C is the most recent variant of the Conficker worm. Exposure to Conficker.C is limited to systems that are still infected with the earlier variants, Conficker.A and Conficker.B, which operate by exploiting the MS08-067 vulnerability in Microsoft Windows Server Service. If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. Conficker combats efforts at eradication by creating scheduled tasks and/or using autorun.inf files to reactivate itself.

McAfee has identified thousands of binaries that carry the Conficker payload. Depending on the specific variant, the worm may spread via LAN, WAN, web, or removable drives, and by exploiting weak passwords. Conficker disables several important system services and security products, and downloads arbitrary files. Computers infected with the worm become part of an “army” of compromised computers and could be used to launch attacks on websites, distribute spam, host phishing websites, or carry out other malicious activities.

How to tell if your system is infected

Symptoms of Conficker infection include the following:

  • Access to security-related sites is blocked
  • Users are locked out of the directory
  • Traffic is sent through port 445 on non-Directory Service (DS) servers
  • Access to admininistrator shared drives is denied
  • Autorun.inf files are placed in the recycled directory, or trash bin


Steps to remove Conficker and prevent re-infection

We recommend customers take the following steps to remove W32/Conficker.worm and prevent it from spreading:

  1. Install Microsoft Security Update MS08-067:
  2. Clean the infected systems, and reboot
    Use anti-malware solutions such as McAfee VirusScan Plus or ToPS for Endpoint to clean the infection. Use behavioral detection techniques like the buffer overflow protection in Host IPS to prevent future infections. This is important because Conficker can propagate via portable media such as infected USB drives. As the media are accessed, the system processes autorun.inf and executes the attack. For more information, read McAfee Avert Labs’ document “Combating Conficker Worm.”
  3. Identify other systems at risk of infection
    You need to identify which systems are at risk. The list includes systems that either are not patched against Microsoft vulnerability MS08-067 or do not have proactive protection controls to mitigate the vulnerability. McAfee Vulnerability Manager and ePolicy Orchestrator can identify systems that are vulnerable and not protected.
  4. Limit the threat’s ability to propagate
    Using network IPS at strategic points in your network will quickly limit the ability of the threat to spread. This gives you time to either update your client anti-virus signatures or modify policies to block the threat using the behavioral controls.

McAfee Products Coverage for Conficker Worm

McAfee Product Coverage
McAfee VirusScan PlusMcAfee Internet Security

McAfee Total Protection

The latest signature (DAT) files include detection and repair for this worm, if you have performed an update recently you are already covered.
ToPS Endpoint & ToPS Service The signature (DAT) files include detection and repair for this wormBuffer overflow protection in scan engine and Generic Buffer Overflow in host IPS are expected to cover code-execution exploits. Host IPS also includes signature for “Vulnerability in Server Service Could Allow Remote Code Execution” (CVE-2008-4250)
Network Security Platform (IntruShield) Includes coverage for “Microsoft Server Service Remote Code Execution Vulnerability”
McAfee Network Access Control (NAC) Identifies nodes that have not been patched and denies them access to the network unless they are updated
McAfee Vulnerability Manager (VM) Includes coverage for MS08-067. Identifies machines vulnerable to infection by Conficker as well as machines infected by Conficker C
McAfee Web Gateway (formerly Webwasher) Includes signature to detect and block the worm at the gateway
McAfee Conficker Detection Tool Identifies machines infected by Conficker.C

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: