Much panic that has lead many users to leaving their computers off and even disconnecting their Ethernet cables from their computers from the recent Conficker Worm going around, but has this worm stopped going around or has it barely begun it destruction to infect many users? This called for many fast released patches by companies such as Microsoft Operating System(s) and also mostly all AntiVirus vendors such as Symantec, AVG, Kaspersky, Trend Micro, etc. But before you think about the virus, how do you know if you haven’t been infected by it already?Finding out if you are infected can be really easy, because the worm does a lot of system changes that prevent you from seeing certain keywords in sites. This is a detailed list of the Conficker Worm:
Name of Security Risk:
Summary of what it does:
Conficker US Infection
Win32/Conficker.D is a variant of Win32/Conficker. Conficker.D infects the local computer, terminates services, blocks access to numerous security related Web sites and downloads arbitrary code. Conficker.D can relay command instructions to other Conficker.D infected computers via built-in peer-to-peer (P2P) communication. This variant does not spread to removable drives or shared folders across a network (as with previous variants). Conficker.D is installed by previous variants of Win32/Conficker.
Other variants of Win32/Conficker infect computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords.
System Changes
Users may not be able to run applications containing the following strings:
| autoruns | avenger | confick | downad | filemon | gmer | hotfix |
| mrt. | mrtstub | ms08-06 | procexp | procmon | regmon | regmon |
| unlocker | wireshark | klwk | mbsa. | kido | kb958 | tcpview |
| kb890 | sysclean |
Users may not be able to browse certain security-related Web sites with URLs that contain any of the following strings:
| agnitum | ahnlab | anti- | antivir | arcabit | avast | avgate |
| avira | bothunter | castlecops | ccollomb | centralcommand | clamav | comodo |
| computerassociates | conficker | cpsecure | cyber-ta | defender | downad | drweb |
| dslreports | emsisoft | esafe | eset | etrust | ewido | f-prot |
| f-secure | fortinet | free-av | freeav | gdata | grisoft | hackerwatch |
| hacksoft | hauri | ikarus | freeav | gdata | grisoft | hackerwatch |
| jotti | k7computing | kaspersky | kido | malware | mcafee | microsoft |
| mirage | msftncsi | msmvps | mtc.sri | networkassociates | nod32 | norman |
| norton | onecare | panda | pctools | prevx | ptsecurity | quickheal |
| norton | onecare | panda | pctools | prevx | ptsecurity | quickheal |
| removal | rising | rootkit | safety.live | securecomputing | sophos | spamhaus |
| spyware | sunbelt | symantec | technet | threat | threatexpert | trendmicro |
| trojan | virscan | virus | wilderssecurity | windowsupdate |
Users may experience a Web browser time-out error when attempting to access URLs containing the following strings:
| avg. | avp. | bit9. | ca. | cert. | gmer. | kav. |
| llnw. | llnwd. | msdn. | procexp | msft. | nai. | sans. |
If you are unable to access any websites such as Symantec or Microsoft’s Website or even the Windows Update on your desktop, chances are that you are infected by the Conficker Worm.
Removing the infection can be really tricky, you can visit different vendors to your liking (if you so happen to like Symantec over Kaspersky, or Kaspersky over TrendMicro, etc, etc.). Here are some links where you can get removal programs to get rid of the worm, however you will have to visit with an uninfected computer, if you are reading this you shouldn’t be infected due to certain words I’ve used in this post that the Worm blocks:
- Symantec Conficker Removal Tool
- Microsoft Removal Tool
- Sophos Removal Tool
- TrendMicro Removal Tool
- Kaspersky Removal Tool
You should use these removal tools to take off Conficker Variants, especially made for the Newest created one, off your computer. You would have to download this tool using an uninfected computer, then apply it on infected computer.
Why has the Conficker Worm been so “important” to pay attention to over the past few days? Because of several things:
- It avoids detection, it is “evolving” as we speak
- It uses P2P to update itself from its creators
- Mass infection has already occurred
- Encryption on the worm is very strong and hard to crack
With so much talk going around with the Conficker Worm, it has been already detected by most anti viruses, but the threat is still going on and on and still infecting more users online. There has also been rumors online about a possible conspiracy with the virus. Since Microsoft was pretty quick with a patch for their system after the virus went global, it raised some suspicious about Microsoft’s possible plan to take down pirated versions of Microsoft Windows. Whether that is true or not? You decide.
With the Conficker already detected on most anti viruses, many IT researchers haven’t been able to block all incoming traffic from Conficker. If conficker is updated or recieves further intructions, that capability could pass between infected machines without the need of a server or website. This is done with P2P (Peer-to-Peer) networking instead which allows to file share faster than if they had to communicate with a main server. This makes the Conficker Worm update much faster on the infected machine and makes it harder to block and remove off your system.
Many of you shouldn’r worry. Conficker is only a threat if you computer does not have the latest security patches from Microsoft and is up-to-date with an antivirus program. Stay safe everyone!
April 6, 2009 at 4:41 am
Hi,
Good article. Sophos’ Conficker removal tool can detect and remove all variants of the worm/virus.
As long as people run these tools it should stop any serious outbreak.
James
April 26, 2009 at 6:01 pm
now in my rss reader)))