Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
9686 Views 5 Replies Latest reply: Apr 5, 2009 7:18 PM by CD RSS
HarryWaldron Senior Member 12,088 posts since
Sep 11, 2002
Currently Being Moderated

Mar 23, 2009 9:46 AM

Conficker.C Worm - Major Attack targeted for April Fools Day

The Conficker worm is one of the most dangerous malware threats in years, especially for corporate users. A new "C" variant has been developed that's even more potent and stealthier than the two prior variants. It's imperative that Microsoft's MS08-067 patch be applied to all servers and workstations, while the worm is currently dormant.

If it establishes a foothold anywhere in the network, it can even spread to systems that are patched with the MS08-067, if they are insecure in other areas, (i.e., it uses multiple attack methods).

Please take precautions now, as this one will be even more difficult than "B" was to clean.

Conficker.C Worm - Major Attack targeted for April Fools Day
http://techfragments.com/news/629/Software/Downadup_Win32Conficker-C_Worm_Revvin g_Up_to_Spread.html
http://arstechnica.com/security/news/2009/03/confickerc-primed-for-april-fools-a ctivation.ars
http://www.maximumpc.com/article/news/this_no_joke_confickerc_strike_april_fools _day
http://news.cnet.com/8301-1009_3-10196122-83.html
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=77976

QUOTE: Just when you might have thought it was safe to start using USB flash drives at work again, the third, and by all accounts, most fiendish version of the Conficker worm that's infected millions of PCs already is set to attack on April 1st, Ars Technica reports. Conficker.C's designed to hide itself even more thoroughly than its older siblings Conficker.A and Conficker.B, using tricks such as:

Inserting itself into as many as five Windows-related folders such as System, Movie Maker, Internet Explorer, and others (under a random name, of course)
• Creating access control entries and locking the file(s)
Registers dummy services using a "one (name) from column A, one from column B,null and two from column C" method

To find out what happens when Conficker.C strikes, join us after the jump.
Conficker.C's payload makes it harder than ever to recover from being infected:

Deactivates Windows Security Center notifications
Prevents restart in Safe Mode
Prevents Windows Defender from running at system startup
Deletes all system restore points
Disables various error-reporting and security services
Terminates over twenty security-related processes
Blocks DNS queries
Blocks access to security and antivirus websites
• And, to top it all off, Conficker.C can choose from a list of 500 domains to contact out of a pool of 50,000 (way up from Conficker.B's 32 out of 250).

Conficker.C - Detailed Evaluation by SRI
http://mtc.sri.com/Conficker/addendumC/

QUOTE: Variant C represents the third major revision of the Conficker malware family, which first appeared on the Internet on 20 November 2008. C distinguishes itself as a significant revision to Conficker B.null In fact, we estimate that C leaves as little as 15% of the original B code base untouched

Below are some resources for information and cleaning tools for the Conficker worm:

Conficker - Cleaning tips for corporate users
http://msmvps.com/blogs/harrywaldron/archive/2009/01/27/conficker-cleaning-tips- for-corporate-users.aspx

Internet Storm Center - Conficker Resource Center
http://isc.sans.org/diary.html?storyid=5860

Microsoft Resources
http://support.microsoft.com/kb/962007
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx

More Like This

  • Retrieving data ...

Bookmarked By (0)