5 Replies Latest reply: Apr 5, 2009 7:18 PM by CD RSS

    Conficker.C Worm - Major Attack targeted for April Fools Day

      The Conficker worm is one of the most dangerous malware threats in years, especially for corporate users. A new "C" variant has been developed that's even more potent and stealthier than the two prior variants. It's imperative that Microsoft's MS08-067 patch be applied to all servers and workstations, while the worm is currently dormant.

      If it establishes a foothold anywhere in the network, it can even spread to systems that are patched with the MS08-067, if they are insecure in other areas, (i.e., it uses multiple attack methods).

      Please take precautions now, as this one will be even more difficult than "B" was to clean.

      Conficker.C Worm - Major Attack targeted for April Fools Day
      http://techfragments.com/news/629/Software/Downadup_Win32Conficker-C_Worm_Revvin g_Up_to_Spread.html
      http://arstechnica.com/security/news/2009/03/confickerc-primed-for-april-fools-a ctivation.ars
      http://www.maximumpc.com/article/news/this_no_joke_confickerc_strike_april_fools _day
      http://news.cnet.com/8301-1009_3-10196122-83.html
      http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=77976

      QUOTE: Just when you might have thought it was safe to start using USB flash drives at work again, the third, and by all accounts, most fiendish version of the Conficker worm that's infected millions of PCs already is set to attack on April 1st, Ars Technica reports. Conficker.C's designed to hide itself even more thoroughly than its older siblings Conficker.A and Conficker.B, using tricks such as:

      Inserting itself into as many as five Windows-related folders such as System, Movie Maker, Internet Explorer, and others (under a random name, of course)
      • Creating access control entries and locking the file(s)
      Registers dummy services using a "one (name) from column A, one from column B,null and two from column C" method

      To find out what happens when Conficker.C strikes, join us after the jump.
      Conficker.C's payload makes it harder than ever to recover from being infected:

      Deactivates Windows Security Center notifications
      Prevents restart in Safe Mode
      Prevents Windows Defender from running at system startup
      Deletes all system restore points
      Disables various error-reporting and security services
      Terminates over twenty security-related processes
      Blocks DNS queries
      Blocks access to security and antivirus websites
      • And, to top it all off, Conficker.C can choose from a list of 500 domains to contact out of a pool of 50,000 (way up from Conficker.B's 32 out of 250).

      Conficker.C - Detailed Evaluation by SRI
      http://mtc.sri.com/Conficker/addendumC/

      QUOTE: Variant C represents the third major revision of the Conficker malware family, which first appeared on the Internet on 20 November 2008. C distinguishes itself as a significant revision to Conficker B.null In fact, we estimate that C leaves as little as 15% of the original B code base untouched

      Below are some resources for information and cleaning tools for the Conficker worm:

      Conficker - Cleaning tips for corporate users
      http://msmvps.com/blogs/harrywaldron/archive/2009/01/27/conficker-cleaning-tips- for-corporate-users.aspx

      Internet Storm Center - Conficker Resource Center
      http://isc.sans.org/diary.html?storyid=5860

      Microsoft Resources
      http://support.microsoft.com/kb/962007
      http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx