Protecting Against the Rampant Conficker Worm
Security researchers are reporting that the Conficker worm virus, which preys on a recently reported vulnerability (MS08-067) in the Microsoft Windows server service, is spreading rapidly."Of the two million computers analyzed, around 115,000 were infected with this malware, a phenomenon we haven't seen since the times of the great epidemics of Kournikova or Blaster," Luis Corrons, Technical Director of PandaLabs, said in a report summary.
When executed on a computer, Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting. It then connects to a server, where it receives further orders to propagate, gather personal information, and downloads and installs additional malware onto the victim's computer. The worm also attaches itself to certain Windows processes such as svchost.exe, explorer.exe and services.exe.
Once this virus infects a computer it does a number of things
- Extracts all of its files to the %System% directory with random DLL file names, which can wreak havoc on your computer.
- Deletes the user's Restore Points.
- Registers a services called Netsvcs
- Creates scheduled tasks that execute all of the DLL files.
- Creates it's own simple HTTP server on the infected computer and spreads the worm to other computers in the network through file shares.
- Creates an Autorun.inf file in file shares to execute the warm files once the share is accessed by another computer.
- Connects to external sites to download additional files.
The registry entries added by Mal/Confiker-A are under:
HKLM\SYSTEM\CurrentControlSet\Services\<random service name>
The random service name will also be added to the list of services referenced by:
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SvcHost\netsvcs
Mal/Conficker-A modifies permissions on the service registry entries so that they are not visible to the user.When spreading to removable media Mal/Conficker-A attempts to create the following hidden files:
<Removable Drive Root>\autorun.inf
<Removable Drive Root>\RECYCLER\S-x-x-x-xxx-xxx-xxx-x\<Random Letters>.dll
Win32/Conficker.A tries to obtain the IP address of the affected system by accessing the following websites:
www.getmyip.org
getmyip.co.uk
checkip.dyndns.org
Mal/Conficker-A will attempt to copy itself to the following location:
<System>\<random filename>
(e.g. C:\windows\system32\zdtnx.g)
Precautions & Removal
- Ensure Windows is fully updated to fix the MS08-067 vulnerability that the Conficker family of worms uses to spread.
- Ensure that all removable storage devices are scanned after being connected to a computer infected with the Conficker family of worms.
- Ensure HIPS and buffer overflow prevention are both turned on and that "alert only" mode is turned off.
- Ensure the on-access scanner is turned on and that "on write" scanning is enabled.
If W32/Confick-E is detected on the computer, clean up this item first and then immediately run another full scan. Cleaning up W32/Confick-E removes the worm from memory and allows Sophos Anti-Virus to scan files that may have been locked by the virus while it was running.
If a full scan reports unscannable files and W32/Confick-E is not found in memory, ensure the on-access scanner is enabled and the virus data is up to date, reboot the computer and immediately perform another full scan. This causes the on-access scanner to prevent the Conficker worm from loading as a service and should unlock those files so they can be scanned. After cleaning up an active infection of the Conficker worm, a reboot may be required.
To remove the worm and its malicious components completely, it is recommended to use Norman Conficker Cleaner. Removal tools are also available from Microsoft and Symantec.
Since the virus can spread via USB drives that trigger AutoRun, disabling the AutoRun feature for external media through modifying the Windows Registry is recommended.
How to Diisable Autorun
Excellent stuff, Thanks
ReplyDelete