Conficker Worm Detection And Removal

By now you might have heard about the latest worm that is plaguing Internet users world wide. It goes by the name of Conficker (or Downadup)and comes in the variants A,B and C with c being the most evolved variant. To put it simple: Conficker uses a Windows vulnerability that was discovered in September 2008 and a patch was released by Microsoft that fixed it. The first worm that used the vulnerability was discovered in November 2008.

Conficker C will initiate a number of processes on infected host systems including opening a random port which is being used in the distribution process of the worm. The worm will then patch the security hole on the computer system that allowed it to attack the system in first place. This prevents other viruses from exploiting the vulnerability while keeping a backdoor open for newer variants of the Conficker worm. The worm will block certain strings from being accessed on the Internet. Domain names making use of those strings cannot be accessed unless the IP is used to do so. Among the strings are various security companies like microsoft, panda or symantec but also generic strings like defender, conficker or anti-. This is to prevent users from accessing websites that contain information and removal instructions about the worm.

While this is surely a nuisance for the user it does mean that the worm itself is not harming the user system in any way other than the methods described above. The real danger comes from the updating mechanism of Conficker C. The worm will try to retrieve new instructions on April 1, 2009. A very sophisticated updating mechanism has been implemented by the author. The worm will generate a list of 50K domain names and append a list of 116 top level domains to them. It will then select 500 randomly from the list and try to connect to them. If new instructions are found on one of the urls it will download them and execute them on the computer system. This process will be repeated every 24 hours.

The easiest way of detection is by accessing a site like microsoft.com or symantec.com and comparing the results with accessing the site using the IP addresses (207.46.197.32 and 206.204.52.31). While this usually gives a good indication it is better to check the computer system with tools that have been specifically designed to detect and remove the Conficker variants.

A few tools that can be used to detect and remove Conficker variants are ESET Conficker Removal Tool, Downadup from F-Secure or KidoKiller by Kaspersky.

Excellent information about Conficker detection and removal instructions are available at Sans.org.

Information taken from http://www.ghacks.net/2009/03/31/conficker-worm-detection-and-removal/

For more tips and tricks go to http://www.cyatcom.com

5 tips to prevent infection from the Conficker virus.

What is the Conficker or Downadup worm virus?

Well, is a new virus that is spreading like wildfire all over the Internet and has infected millions of PCs around the world.

Conficker or Downadup is a worm that propagates on local and network drives by taking advantage of the Microsoft Windows Server Service RPC MS08-067 Handling Remote Code Execution Vulnerability. W32.Downadup can create its own Service on Windows to run itself each time Windows is started.

If your PC is acting weird and presents some of this symptoms:

• Users being locked out of directory


• Access to admin shares denied


• Scheduled tasks being created


• Access to security related web sites is blocked.

Then your PC might be infected, go to http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDownadup.exe and download this tool to remove the Downadup "aka"Conficker "aka" Kido virus by following this steps:

1. Stop all your running programs.


2. Disconnect from your internet connection by disabling your network card or removing the cable from your PC. If you are connected to the internet wireless then turn off your wireless connection.


3. Disable System Restore (Windows XP)


4. Find the tool you just download FixDownadup.exe and run it.


5. If you see that the tool didn't remove the worm or didn't find anything, restart your PC in Safe Mode and run the tool again to make sure your PC is clean.


6. Restart your PC in normal mode again and make sure to enable System Restore.


7. Enable your network card or plug in your cable to reestablish your internet connection. If it was wireless turn it on.

5 Tips to prevent from getting infected with the Conficker Virus:

1. Run a live update from your prefer anti virus program to make sure you have the latest updates.


2. Run a full scan from your anti virus to make sure their is nothing else molesting your computer.


3. Run your windows update to download all the critical updates from Microsoft.


4. Don't open any suspicious email and don't enter any suspicious website.


5. Make sure you have installed in your updates the MS patch KB958644

for more information about this post and other tips and tricks go to http://www.cyatcom.com