What You Need to Know About Conficker and How to Avoid Being a Victim (Updated for April 1st)
Posted 04/01/09 at 01:00:00 PM by Paul Lilly
Comments
Print
Email
April Fools' Day might be all fun and games for some, but if you manage to fall prey to the Conficker worm, it's no laughing matter. As reported earlier this month by our very own Mark Soper, the third version of Conficker (Conficker.c) is set to wreak havoc tomorrow, April 1st. Here's what you need to know.
What is Conficker?
Conficker is one of the nastiest computer worms in recent history to go on the warpath against Windows-based PCs. First surfacing in October, 2008, Conficker targets Windows 2000, XP, Vista, Server 2003, Server 2008, Server 2008 R2 Beta, and even Windows 7. To date, Conficker has infected over 9 million PCs, shut down French and British military assests, and prompted a $250,000 reward from Microsoft for information leading to the arrest and conviction of the worm's creators.
What Does it Do?
The first two versions of Conficker -- variants A and B -- exploit a vulnerability in the Server Service on Windows-based PCs to take advantage of an already-infected source computer. Once infected, the worm goes to work exploiting the network hole, cracking administrator passwords, prevents access to security websites and services for automatic updates, disables backup services, erases recently saved documents, and among other things, also leaves you vulnerable to other infected machines.
What Happens Tomorrow?
One of the scariest things about Conficker, including Conficker.c, is that its full potential isn't known. Come tomorrow, those infected might be prompted to buy fake sofware products, or it could start monitoring your keystrokes to lift sensitive information like banking passwords. Files could end up deleted, or it might transform your computer into a zombie PC while staying under the radar. Whatever it ends up doing, it won't be good, and you need to take proper precautions right now.
How to Tell if You're Already Infected
Once infected, Conficker seals up the hole it used to infiltrate your system preventing other malware from getting in. Because of this, it can be difficult for IT pros to tell which computers have been patched and which might have a fake Conficker patch. But according to the nonprofit Honeynet Project, Conficker.c's buggy code has made it somewhat easy to detect using a newly released proof-of-concept scanner.
"What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will tell you," Dan Kaminsky, director of penetration testing at IOActive who worked with The Honeynet Project, wrote on his blog. "We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."
Other telltale signs that you might be infected with Conficker is if you haven't received any automatic updates from Windows in March, if you're unable to update your antivirus program, or if your security software is running abnormally slow as of late. You can also try accessing major AV sites, as Conficker will attempt to block these.
The Department of Homeland Security (DHS) has released a computer worm detection tool, along with a bevy of other information, which can be found here.
How Can I Avoid Infection?
Drain your savings account, buy a Mac, and hang out at Starbucks all day long. Or to appease the Linux crowd, ditch Windows and dive into Ubuntu. But you don't need to learn a brand new OS or invest in an overpriced computer to avoid Conficker.
One way to avoid Conficker is to disable AutoRun. Details on how to properly do so can be found here. And as with all security-related threats, safe computing habits apply. Avoid websites you're not familiar with, ensure that Windows is fully patched, invest in a security program and download the latest updates, and never download from an unknown or shady source.
Holy S#*t, I'm Infected!
We'll assume here you're talking about your PC (if not, stop scratching it and consult a doctor). There are a number of Conficker removal tools available, such as those found here, here, and here. If going this route, it's a good idea to download the tool(s) from a clean PC rather than your infected one. Note that Conficker also blocks tools with 'Conficker' in the name, so be prepared to rename the file(s) if necessary.
Another option is to create a bootable CD/DVD or USB thumb drive and outfit it with security programs. By doing so, you'll bypass Windows entirely and have a clean slate from which to work from. Just be sure to create bootable media from a clean PC. Also check your security vendor's website for information on creating a bootable rescue disk.
Finally, to err on the extreme side of caution, you can start fresh with a reinstallation of Windows. Whether or not you resort to this, it's a good idea to backup any important data -- work documents, family photos, groovy music -- right away.
Next page: April 1st update
My prediction:
Submitted by winmaster on Sat, 04/04/2009 - 5:48pm
I think that the creater of this bastard told it to sit still for a few more weeks because of all of the media hype. Just a thought.
--------------------------------------------------------------------------------------------------
The quick brown fox jumps over the lazy dog.
Your Virus is showing!
Submitted by Havok on Wed, 04/01/2009 - 6:25pm
By any chance you always-on-the-internets-with-no-antivirus have like maybe 14 firewalls or are on dial-up!? Sorry if I strike a nerve, but seriously! Only those who are ignorant and have only used "free" antivirus programs and who look at tremendous amounts of pron claim that going cold turkey with AVs is the way to go.
Sure, Symantec blew chunks from 05 - 08 ish. Sure if you don't do stupid stuff on-line your infection risks decrease. Sure a lot of AVs suck and are really expensive, but WTF?
I think these are the people Gordon was thinking about when he ranted about needing a licence to go online or buy a computer.
"Excuse me, can I buy a computer and go on-line with no protection, similar to not using a condom?"
Licence denied.
OMGWTFBBQ
Submitted by winmaster on Sat, 04/04/2009 - 5:40pm
There are a lot of free anti-viurs apps. I use AVG Free Edition 8.5. I also realize that my AV is important and that goining online without one would be a mistake and possibly disastorus. As for Gordon't internet license, I have written a report expanding the idea: http://nintenpc.tripod.com/public/internet_regulation_speech.pdf. Read it. Then tell my fornesics judges, parents, and sister that I'm not a crackpot. Gordon rules and kids are stupid.
--------------------------------------------------------------------------------------------------
The quick brown fox jumps over the lazy dog.
Computer prophilactics
Submitted by c3ajeff on Fri, 04/03/2009 - 10:36am
As a consultant, I make sure my clients don't have viruses and none of them do.
It's not rocket science. For home users, the free anti-virus programs work great (provided they are updated frequently) so I recommend AVG or Avast.
Second, MS updates must be turned on automatic. The days of updates causing major problems seem to be past, but on balance even if they do cause an occasional blip, let's face it, they do a lot more good than evil.
Third, I train my clients to be aware of what they're doing. We all have a natural sense of danger when walking down a dark alley, but many don't have any sense of danger when wandering around on the internet.
Many of us are suckers just waiting for some popup to tell us we must buy a "registry repair" program - or else... but I teach my clients to NEVER pay attention to any internet popup - ever. Any company who uses this kind of advertising is obviously unable to sell their program by means of any legitimate means, so avoid them like the plague.
Many parents don't pay enough attention to what their kids are doing online. Yes, we've all been warned and warned and warned again, but many think so long as their kid isn't chatting with a predator, they are just fine. But these same parents who do their banking online, manage their investments online, and shop online - all which involve transmitting extremely personal information - don't pay attention when little johnny is downloading "warez" or mp3s off of torrent sites which are likely to assault their personal computer with malware, worms or viruses like conflicker.
Many of there parents assume their kids are more, "tech savvy" than they are, but even if their kid knew more about how an engine runs would they let their 12 year old drive their new sports car in the bad part of town? How rediculous! And yet, parents allow their children to, "drive" all their personal information around the entire world of theives and miscreants. I take a, "belt and suspenders" approach to this.
First, parents have two choices: get the kids their own computer (NOT in their own room, no matter how much you trust them) or they need their own LIMITED account on the family computer. Parents need to approve each and every download the kids make on the family computer. If the child has his or her own computer it still needs to be protected from the child particularly if the computer is networked to the parent’s computer. Also parents need to monitor the computer or shelve it. I can’t tell you how many computers I have had to “refresh” because of young one’s lack of experience with the internet. This can be expensive and time-consuming unless the parents really know what their doing. Even if the child is technical enough to do this, they obviously weren’t wise enough to protect themselves in the first place, so parents heed my advice: be careful with your children and computers, that is, unless you’re not worried about losing your data or worse yet, having your identity stolen and bank account emptied. Trust me, that’s no fun at all.
Whats the verdict
Submitted by hiremenow on Wed, 04/01/2009 - 6:23pm
Do we have any damage reports yet?
Vista
Submitted by billveik on Wed, 04/01/2009 - 9:05am
supposedly Vista has the same vulnerability to this as XP, but there is some sort of difference in the systems that makes it much more difficult to activate on Vista machines. Making XP much more of a target.
It's the UAC (User Account
Submitted by AntiHero on Wed, 04/01/2009 - 12:00pm
It's the UAC (User Account Control) I turned it on on a machine i don't care about, and hunted for viruses, it does block them from executing. I tried to get AntiVirus 2009, it asks me if i was sure i wanted to install it, the thing is that most people shut it off because it blocked EVERY program you could possibly imagine, unless it had a microsoft license, and still sometimes those ones.
I don't like Microsoft, I just associate with it.
Submitted by fdwhacker on Wed, 04/01/2009 - 8:55am
This website from Symantec has everything you need:
http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99
Here are the instructions:
- Download the FixDwndp.exe file from: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDwndp.exe.
Note: W32.Downadup.C may block access to Symantec Web sites and network addresses. Follow these steps to remove the block:
1. Click Start > Run or hit Windows Key + R.
2. Type cmd and click OK.
3. Type net stop dnscache and press Enter.
4. Type exit and press Enter.- Save the file to a convenient location, such as your Windows desktop.
- Optional: To check the authenticity of the digital signature, refer to the "Digital signature" section later in this writeup.
Note: If you are sure that you are downloading this tool from the Security Response Web site, you can skip this step. If you are not sure, or are a network administrator and need to authenticate the files before deployment, follow the steps in the "Digital signature" section before proceeding with step 4.
- Close all the running programs.
- If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
- If you are running Windows Me or XP, turn off System Restore. For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
- Locate the file that you just downloaded.
- Double-click the FixDwndp.exe file to start the removal tool.
- Click Start to begin the process, and then allow the tool to run.
NOTE: If you have any problems when you run the tool, or it does nor appear to remove the threat, restart the computer in Safe mode and run the tool again.
- Restart the computer.
- Run the removal tool again to ensure that the system is clean.
- If you are running Windows Me/XP, then reenable System Restore.
- If you are on a network or if you have a full-time connection to the Internet, reconnect the computer to the network or to the Internet connection.
- Run LiveUpdate to make sure that you are using the most current virus definitions.
When the tool has finished running, you will see a message indicating whether the threat has infected the computer. The tool displays results similar to the following:
- Total number of the scanned files
- Number of deleted files
- Number of repaired files
- Number of terminated viral processes
- Number of fixed registry entries
What the tool does
The Removal Tool does the following:
- Terminates the associated processes
- Deletes the associated files
- Deletes the registry values added by the threat
- Removes the scheduled jobs created by the threat
Switches
The following switches are designed for use by network administrators:
/HELP, /H, /?
Displays the help message.
/NOFIXREG
Disables the registry repair (We do not recommend using this switch).
/SILENT, /S
Enables the silent mode.
/LOG=[PATH NAME]
Creates a log file where [PATH NAME] is the location in which to store the tool's output. By default, this switch creates the log file, FixDwndp.log, in the same folder from which the removal tool was executed.
/MAPPED
Scans the mapped network drives. (We do not recommend using this switch. See the following Note.)
/START
Forces the tool to immediately start scanning.
/EXCLUDE=[PATH]
Excludes the specified [PATH] from scanning. (We do not recommend using this switch. See the following Note.)
/NOCANCEL
Disables the cancel feature of the removal tool.
/NOFILESCAN
Prevents the scanning of the file system.
/NOVULNCHECK
Disables checking for unpatched files.
/FORCEJOBSREPAIR
Removes the created scheduled jobs.Important: Using the /MAPPED switch does not ensure the complete removal of the virus on the remote computer, because:
- The scanning of mapped drives scans only the mapped folders. This may not include all the folders on the remote computer, which can lead to missed detections.
- If a viral file is detected on the mapped drive, the removal will fail if a program on the remote computer uses this file.
Therefore, you should run the tool on every computer.
The /EXCLUDE switch will only work with one path, not multiple. An alternative is the /NOFILESCAN switch followed by a manual scan with AntiVirus. This will let the tool alter the registry. Then, scan the computer with AntiVirus with current virus definitions. With these steps, you should be able to clean the file system.
The following is an example command line that can be used to exclude a single drive:
"C:\Documents and Settings\user1\Desktop\FixDwndp.exe" /EXCLUDE=M:\ /LOG=c:\FixDwndp.txt
Alternatively, the command line below will skip scanning the file system, but will repair the registry modifications. Then, run a regular scan of the system with proper exclusions:
"C:\Documents and Settings\user1\Desktop\FixDwndp.exe" /NOFILESCAN /LOG=c:\FixDwndp.txt
Note: You can give the log file any name and save it to any location.
I hope this helps anyone who has been infected.
NOTE: These are the exact instructions off of the Symantec website mentioned above.
----------------------------------------------------------------------
I HATE WINDOWS 98!!
AMD is AWESOME!
Maximum PC is AWESOME!!
Vista SUCKS!!
Submitted by mesiah on Tue, 03/31/2009 - 9:19pm
I know this isn't viable for everyone, but for anyone who uses their pc to store vital information, or just doesn't want the hassle of having it knocked out by a virus, you might concider this. I have a high end computer that I use for gaming and making secure transactions. Then I have a second ultra cheap Emachines computer that I paid $299 for (including monitor) that I use only for surfing the web. I don't run many programs on it. I don't really worry about viruses on it, and if something were to happen to it, none of my personal files are on there so a quick restore is pretty simple.
Virtual Machine
Submitted by One4yu2c on Wed, 04/01/2009 - 5:54am
Alternately, installing a Virtual Machine or running a Linux Live CD will allow you to surf dangerously with little cost and risk to your main OS.
Submitted by smashingpumpin on Tue, 03/31/2009 - 7:08pm
I just red an informative article from Yahoo about this. http://tech.yahoo.com/blogs/null/13246. To those of you going cold turkey for a day or two, this quote from the Yahoo article is for you: "Turning your PC off tonight and back on on April 2 will not
protect you from the worm (sorry to the dozens of people who wrote me
asking if this would do the trick). Temporarily disconnecting your
computer from the web won't help if the malware is already on your
machine -- it will simply activate once you connect again. Changing the
date on your PC will likely have no helpful effect, either. And yes,
Macs are immune this time out. Follow the above instructions to detect and remove the worm."As for the links to tools to remove it, I'm kind of a skeptic that it'll do the job but i'ts better than nothing and tried Symantecs tool and turned Windows Update "fully on" anyways. Goodluck on everyone tonight.
_______________________________________________
...hmm no Pr0n for a day or two? I can handle that hehehehe
LordTion
Submitted by metafuente on Tue, 03/31/2009 - 5:24pm
You are VERY wrong to think this is just hype and that it's a goofy April Fools joke. My recently built PC got hit by this thing, HARD and even though I stopped it fast, it took me 3 weekends to recover or find new version of my files. I'll be doing some console gaming for a week or so until I'm back on the web, this thing is nasty indeed! Hope the clowns behind it end up in a cell with angry Samoan (no offense) drag-queens (no offense again, you get the picture. :O
Submitted by comptech08 on Tue, 03/31/2009 - 5:56pm
you just cant say i am very wrong you do not know the answer either. Geesh i never get viruses and i do not use anti-virus software or any type of protection software. Its all about safe web habits. I dont download stupid stuff and i dont look at p0rn. If you keep getting viruses then its your fault not the internets.
If you don't use antivirus
Submitted by Keith E. Whisman on Tue, 03/31/2009 - 7:15pm
If you don't use antivirus software how do you know that you don't have a virus infection on your PC? I mean some viruses are very quiet and do all their work under the table. Like keyloggers and worms that use your PC to send spam to other pc's and all kinds of nasty stuff. Hell just being online without an antivirus program is dangerous.
You'll be sorry if you don't install an antivirus program. I bet you in you install an Antivirus program on your computer that you probably have at least one if not many security threats from malware, spyware to viruses.
Submitted by comptech08 on Tue, 03/31/2009 - 8:15pm
i am not a stupid when it comes to the internet thats why. And I also monitor my computers resources, processes, and performance, and do clean it everyday. I can tell if something is up. I also dont download stupid stuff.
The reason why i switched to no anti-virus was because i kept getting viruses. It didnt matter who i had. I had norton, AVG, CA, Avast, ect. I would eventually get a virus and used the same internet habits as i do today. So i did an experiment to see if i could do this without protection and it worked.
o_O
Submitted by GreenTurtle on Wed, 04/01/2009 - 12:22pm
?
Well, that's totally
Submitted by jcollins on Wed, 04/01/2009 - 11:36am
Well, that's totally confusing. The reason you switched to having NO anti-virus software is because you kept getting infected with viruses??? Sounds totally backwards there.
Submitted by comptech08 on Wed, 04/01/2009 - 11:55am
that is why i tried it, something different and it worked
Submitted by Keith E. Whisman on Tue, 03/31/2009 - 9:21pm
Well then you know better than I do. All I know is that my dad keeps uninstalling his antivirus software and then complains when his computer starts acting crazy. It's always a bad printer driver but I use the same driver with no problems.
Just going to popular websites without protection can get you infected.
I'm not stupid but I know it's better to be safe than sorry.
Sure I can drive my car without auto insurence but if I get into an accident or a cop pulls me over I'm completely screwed.
My AV software has no effect on the speed of my system and I rutinely play Crisis with all the eye candy turned on and I get the same frame rates as I do with my AV disabled. I just don't see any reason to risk driving without insurence or running my computer on an always on broadband connection without AV software. I'm running Norton Internet Security 2009 and it rules.
Submitted by comptech08 on Wed, 04/01/2009 - 5:16am
your car insurance story has nothing to do with a computer not having anti-virus software. first off its the law to have car insurance and not the law to anti-virus software. It has been 4 years since i went ant-virus software free and have not had a virus yet on my machine. And i use the computer everyday with the internet on 24/7.
Submitted by AntiHero on Wed, 04/01/2009 - 9:06am
I do not use my AV software (AVG paid version), it's there, on, and never scans, and I have only had one virus ever, downloaded by my mom on her XP Account. I download ISO images from gamecopyworld for my games and mount them to alcohol 120% all the time, I browse the internet regularly, and I never get viruses, especially as someone who uses Torrent downloads for music and viewing movies I don't feel are worthy of even a rental (or rogers has no copies left >_>) I'm a safe browser, if someone ups a cd to a torrent site, I look at the comments before downloading to see what people are saying about it, and I've never been steered wrong. The internet is like a city, safer to be on some streets than others, and avoid the dark, unexplored alleys. Regardless, I'm back on Ubuntu for the next couple of days until this blows over. When push comes to shove, my sig makes all the more sense.
I don't like Microsoft, I just associate with it.
Submitted by JonnyNYK on Wed, 04/01/2009 - 12:24pm
Its outright arrogant to think you won't ever get infected with just "Safe WebBrowsing". Although I believe it's best practice to stay away suspect websites, unknown email attachments and public hotspots, you can't control what another person does on your network. Worms can work thier way through the network onto your pc. I know because back home my brother always got himself into a virus and on some occasions found it's way onto my pc. I also know just because you have virus protection doesn't make you immune. It does a good job of batting away most problems, but it's not perfect. That's where doing a bit of homework comes in.
You also do realize that because you don't visibly notice something that's "up" doesn't mean your safe, right? You guys ever hear of a keylogger? Maybe a Trojan that's just looking for only a snippet of information like say...your logon for your bank account? Legit websites are prone to infection too buddy.
My computer is protected so it's no skin off my back, but if you're that arrogant it's only time before your humbled.
Submitted by Keith E. Whisman on Wed, 04/01/2009 - 1:57pm
I give up. We are not going to win. These anti antivirus people just have their minds made up. To them they are right and we are wrong. It's just not worth arguing about it with them. But I do have a problem with people like that convincing other people that going without AV software is the proper way to use the internet when it's not.
With this logic of no AV you probably agree that all guns should be banned so you have to rely on the cops to protect you from rapists and armed robbers and trust in these thugs and robbers not to kill you as they assult you and take your belongings. But at least you'll be able to call the cops afterword and they can investigate.
Go without AV is like going without a means to protect yourself. But I'm not going to argue with these anti AV guys I'm just going to try and convince others from going that route.
Submitted by winmaster on Sat, 04/04/2009 - 5:45pm
The replies to the original comment are becomming difficult to follow.
ANTI-VIRUS SOFTWARE IS A NECESSARY EVIL.
--------------------------------------------------------------------------------------------------
The quick brown fox jumps over the lazy dog.
Submitted by comptech08 on Tue, 03/31/2009 - 1:26pm
I have this feeling that this conflicker worm is a april fools joke in itself. All this hype about it getting everybody worried and trying to get protected, then April 1st comes and nothing happens, or it just attacks everbody on April 2nd and we still all die. So who knows :)
Lol
Submitted by DBsantos77 on Tue, 03/31/2009 - 1:31pm
I agree, but better be safe then sorry no? Haha
most likely
Submitted by Geeksquadmyss on Tue, 03/31/2009 - 2:52pm
nothing will happen but like i said before i got hit once and i to do a reinstall and lost a lot of stuff and im not taking any chances
Submitted by DBsantos77 on Tue, 03/31/2009 - 1:18pm
Everyone should check their updates to see if KB958644 is installed. Apparently this protects against this worm and was made in October '08....
Submitted by Geeksquadmyss on Tue, 03/31/2009 - 12:52pm
i got hit by this thing once (my family enjoys using my desktop and being careful at what they do on the internet. And its a real (c word here) it destroys your whole computer. Im backing up all my movies game saves etc and checking my pc! Its PC Armageddon, or could be
time to unplug the netword
Submitted by bingojubes on Tue, 03/31/2009 - 12:15pm
time to unplug the netword card+cable from my computer before bed. got enough offline games to play for a day or two, anyways. i can stand withouht the internets for a day i think...
Submitted by robtom on Tue, 03/31/2009 - 12:53pm
unplugging your computer won't work. If you've read anything at all about this you know then that it will wait until you can access the internet again and then recieve it's instructions.
Submitted by doomhart on Tue, 03/31/2009 - 11:48am
Put a link to this article on your email, facebook, myspace, twitter, friendster and other ways to contact your friends. Call your friends to go to maximum PC.
Good Luck to all tommorow.
Submitted by DBsantos77 on Tue, 03/31/2009 - 11:35am
WE'RE ALL GONNA DIE!!!!!!!
Thanks for the article, interesting read.
Submitted by AntiHero on Tue, 03/31/2009 - 11:57am
I second this. And in response to vista being vulnerable to executing it... turn UAC on for a secondary measure, more than likely it runs as admin though, so it could Bypass UAC. Things like this are why UAC was made. even though i have it turned off. I'm in the technical field for work, so when i mass email everyone i know to prepare, they damn well listen.
I don't like Microsoft, I just associate with it.
Submitted by LatiosXT on Tue, 03/31/2009 - 11:34am
An Extreme Tech article claims that "Windows Vista is technically vulnerable in this way (Windows RCP facilities exploit), but the exploit is almost impossible to execute on it. Anyone's take on this?
Submitted by Lord Omega on Tue, 03/31/2009 - 11:24am
I just downloaded and now scanning my PC with the Symantec tool jus to be on the safe side. I can access all major computer security sites, so that there says I am safe. I also did a test with a .exe name "ConfickrRemover.exe" and nothing happened.
Must Read Articles
Feature
Review
Feature
Feature
Feature
Most Popular Articles
This Month's Issue
FEATURE Windows XP/Vista/7 Tips!FEATURE Monitor Roundup: 7 LCDs ReviewedHOW TOMaster PhotoshopFEATUREAMD's Awesome New GPUWHITE PAPEROrganic LEDs
Technology News
Computer Cooling Fans
Computer Cases
PC Game Controllers
PC Games
Computer Hardware
Headphones
MP3 Players
Stream Video
Computer Mouse
Monitors
Motherboards
NAS Storage
Networking
Laptop Computers
DVD Burner
Digital Cameras
Portable Storage
Computer Accessories
Smartphone
Antivirus Software
Sound Cards
Speakers
Computer Systems
Thumb Drives
Video Cameras
Video Card Reviews
Water Cooling
Gadgets
- Keyboards
© 2009 Future US, Inc. All Rights Reserved.