What You Need to Know About Conficker and How to Avoid Being a Victim (Updated for April 1st)
Posted 04/01/09 at 01:00:00 PM by Paul Lilly
Comments
Print
Email
**April 1, 2009 Update**
We won't fault anyone who, after reading our Conficker coverage, when and constructed an aluminum foil deflector beanie (see here for a great how-to), and you might even choose to still wear it. But we do encourage taking a collective sigh of relief with us. It's now April 1st, and Conficker.c doesn't look like its going to cause the kind of mass damage that made the worm famous. Or at least it hasn't happened yet.
According to early reports, Conficker.c has caused only a smatttering of security breaches across the globe, most of which have occured in Asia. It's believed that somewhere between 1 million and 2 million computers are actively infected with the worm, significantly less than the 9 million it claimed in January. And while Asia has been bearing the brunt of infections, the infection rate in North America sits at only 5.8 percent, according to IBM ISS Managed Security Services.
I Knew Nothing Much Would Happen!
We envy your 8-ball, and while it's entirely possible that nothing much more will happen, there's still a chance that Conficker.c could wreak more havoc before all is said and done. Some security experts believe it will take days before we truly know what Conficker.c is up to, noting that the worm has increased the number of DNS resolutions, expanding its list of domains and perhaps waiting for further instructions. And yet others are decidely less worried.
"Over the next 24 hours Conficker will change the way it communicates, but we don't expect much of anything else to happen," said Marcus Sachs, director of the SANS Internet Storm Center, in a blog post. "There has been quite a bit of media hype about Conficker, and we've seen dozens of new domain names registered to 'help' those who are confused. There are also several reports of malicious software masquerading as detection and cleaing tools for Conficker-infected computers."
Sum it Up for Me
Put simply, Conficker.c has yet to do any widespread damage, and it might never cause any real harm. But it's also shown some activity, which could indicate more to come. Continue practicing safe computing, perhaps erring on the side of caution for the next few days, and it really shouldn't matter one way or the other.
My prediction:
Submitted by winmaster on Sat, 04/04/2009 - 5:48pm
I think that the creater of this bastard told it to sit still for a few more weeks because of all of the media hype. Just a thought.
--------------------------------------------------------------------------------------------------
The quick brown fox jumps over the lazy dog.
Your Virus is showing!
Submitted by Havok on Wed, 04/01/2009 - 6:25pm
By any chance you always-on-the-internets-with-no-antivirus have like maybe 14 firewalls or are on dial-up!? Sorry if I strike a nerve, but seriously! Only those who are ignorant and have only used "free" antivirus programs and who look at tremendous amounts of pron claim that going cold turkey with AVs is the way to go.
Sure, Symantec blew chunks from 05 - 08 ish. Sure if you don't do stupid stuff on-line your infection risks decrease. Sure a lot of AVs suck and are really expensive, but WTF?
I think these are the people Gordon was thinking about when he ranted about needing a licence to go online or buy a computer.
"Excuse me, can I buy a computer and go on-line with no protection, similar to not using a condom?"
Licence denied.
OMGWTFBBQ
Submitted by winmaster on Sat, 04/04/2009 - 5:40pm
There are a lot of free anti-viurs apps. I use AVG Free Edition 8.5. I also realize that my AV is important and that goining online without one would be a mistake and possibly disastorus. As for Gordon't internet license, I have written a report expanding the idea: http://nintenpc.tripod.com/public/internet_regulation_speech.pdf. Read it. Then tell my fornesics judges, parents, and sister that I'm not a crackpot. Gordon rules and kids are stupid.
--------------------------------------------------------------------------------------------------
The quick brown fox jumps over the lazy dog.
Computer prophilactics
Submitted by c3ajeff on Fri, 04/03/2009 - 10:36am
As a consultant, I make sure my clients don't have viruses and none of them do.
It's not rocket science. For home users, the free anti-virus programs work great (provided they are updated frequently) so I recommend AVG or Avast.
Second, MS updates must be turned on automatic. The days of updates causing major problems seem to be past, but on balance even if they do cause an occasional blip, let's face it, they do a lot more good than evil.
Third, I train my clients to be aware of what they're doing. We all have a natural sense of danger when walking down a dark alley, but many don't have any sense of danger when wandering around on the internet.
Many of us are suckers just waiting for some popup to tell us we must buy a "registry repair" program - or else... but I teach my clients to NEVER pay attention to any internet popup - ever. Any company who uses this kind of advertising is obviously unable to sell their program by means of any legitimate means, so avoid them like the plague.
Many parents don't pay enough attention to what their kids are doing online. Yes, we've all been warned and warned and warned again, but many think so long as their kid isn't chatting with a predator, they are just fine. But these same parents who do their banking online, manage their investments online, and shop online - all which involve transmitting extremely personal information - don't pay attention when little johnny is downloading "warez" or mp3s off of torrent sites which are likely to assault their personal computer with malware, worms or viruses like conflicker.
Many of there parents assume their kids are more, "tech savvy" than they are, but even if their kid knew more about how an engine runs would they let their 12 year old drive their new sports car in the bad part of town? How rediculous! And yet, parents allow their children to, "drive" all their personal information around the entire world of theives and miscreants. I take a, "belt and suspenders" approach to this.
First, parents have two choices: get the kids their own computer (NOT in their own room, no matter how much you trust them) or they need their own LIMITED account on the family computer. Parents need to approve each and every download the kids make on the family computer. If the child has his or her own computer it still needs to be protected from the child particularly if the computer is networked to the parent’s computer. Also parents need to monitor the computer or shelve it. I can’t tell you how many computers I have had to “refresh” because of young one’s lack of experience with the internet. This can be expensive and time-consuming unless the parents really know what their doing. Even if the child is technical enough to do this, they obviously weren’t wise enough to protect themselves in the first place, so parents heed my advice: be careful with your children and computers, that is, unless you’re not worried about losing your data or worse yet, having your identity stolen and bank account emptied. Trust me, that’s no fun at all.
Whats the verdict
Submitted by hiremenow on Wed, 04/01/2009 - 6:23pm
Do we have any damage reports yet?
Vista
Submitted by billveik on Wed, 04/01/2009 - 9:05am
supposedly Vista has the same vulnerability to this as XP, but there is some sort of difference in the systems that makes it much more difficult to activate on Vista machines. Making XP much more of a target.
It's the UAC (User Account
Submitted by AntiHero on Wed, 04/01/2009 - 12:00pm
It's the UAC (User Account Control) I turned it on on a machine i don't care about, and hunted for viruses, it does block them from executing. I tried to get AntiVirus 2009, it asks me if i was sure i wanted to install it, the thing is that most people shut it off because it blocked EVERY program you could possibly imagine, unless it had a microsoft license, and still sometimes those ones.
I don't like Microsoft, I just associate with it.
Submitted by fdwhacker on Wed, 04/01/2009 - 8:55am
This website from Symantec has everything you need:
http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99
Here are the instructions:
- Download the FixDwndp.exe file from: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDwndp.exe.
Note: W32.Downadup.C may block access to Symantec Web sites and network addresses. Follow these steps to remove the block:
1. Click Start > Run or hit Windows Key + R.
2. Type cmd and click OK.
3. Type net stop dnscache and press Enter.
4. Type exit and press Enter.- Save the file to a convenient location, such as your Windows desktop.
- Optional: To check the authenticity of the digital signature, refer to the "Digital signature" section later in this writeup.
Note: If you are sure that you are downloading this tool from the Security Response Web site, you can skip this step. If you are not sure, or are a network administrator and need to authenticate the files before deployment, follow the steps in the "Digital signature" section before proceeding with step 4.
- Close all the running programs.
- If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
- If you are running Windows Me or XP, turn off System Restore. For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
- Locate the file that you just downloaded.
- Double-click the FixDwndp.exe file to start the removal tool.
- Click Start to begin the process, and then allow the tool to run.
NOTE: If you have any problems when you run the tool, or it does nor appear to remove the threat, restart the computer in Safe mode and run the tool again.
- Restart the computer.
- Run the removal tool again to ensure that the system is clean.
- If you are running Windows Me/XP, then reenable System Restore.
- If you are on a network or if you have a full-time connection to the Internet, reconnect the computer to the network or to the Internet connection.
- Run LiveUpdate to make sure that you are using the most current virus definitions.
When the tool has finished running, you will see a message indicating whether the threat has infected the computer. The tool displays results similar to the following:
- Total number of the scanned files
- Number of deleted files
- Number of repaired files
- Number of terminated viral processes
- Number of fixed registry entries
What the tool does
The Removal Tool does the following:
- Terminates the associated processes
- Deletes the associated files
- Deletes the registry values added by the threat
- Removes the scheduled jobs created by the threat
Switches
The following switches are designed for use by network administrators:
/HELP, /H, /?
Displays the help message.
/NOFIXREG
Disables the registry repair (We do not recommend using this switch).
/SILENT, /S
Enables the silent mode.
/LOG=[PATH NAME]
Creates a log file where [PATH NAME] is the location in which to store the tool's output. By default, this switch creates the log file, FixDwndp.log, in the same folder from which the removal tool was executed.
/MAPPED
Scans the mapped network drives. (We do not recommend using this switch. See the following Note.)
/START
Forces the tool to immediately start scanning.
/EXCLUDE=[PATH]
Excludes the specified [PATH] from scanning. (We do not recommend using this switch. See the following Note.)
/NOCANCEL
Disables the cancel feature of the removal tool.
/NOFILESCAN
Prevents the scanning of the file system.
/NOVULNCHECK
Disables checking for unpatched files.
/FORCEJOBSREPAIR
Removes the created scheduled jobs.Important: Using the /MAPPED switch does not ensure the complete removal of the virus on the remote computer, because:
- The scanning of mapped drives scans only the mapped folders. This may not include all the folders on the remote computer, which can lead to missed detections.
- If a viral file is detected on the mapped drive, the removal will fail if a program on the remote computer uses this file.
Therefore, you should run the tool on every computer.
The /EXCLUDE switch will only work with one path, not multiple. An alternative is the /NOFILESCAN switch followed by a manual scan with AntiVirus. This will let the tool alter the registry. Then, scan the computer with AntiVirus with current virus definitions. With these steps, you should be able to clean the file system.
The following is an example command line that can be used to exclude a single drive:
"C:\Documents and Settings\user1\Desktop\FixDwndp.exe" /EXCLUDE=M:\ /LOG=c:\FixDwndp.txt
Alternatively, the command line below will skip scanning the file system, but will repair the registry modifications. Then, run a regular scan of the system with proper exclusions:
"C:\Documents and Settings\user1\Desktop\FixDwndp.exe" /NOFILESCAN /LOG=c:\FixDwndp.txt
Note: You can give the log file any name and save it to any location.
I hope this helps anyone who has been infected.
NOTE: These are the exact instructions off of the Symantec website mentioned above.
----------------------------------------------------------------------
I HATE WINDOWS 98!!
AMD is AWESOME!
Maximum PC is AWESOME!!
Vista SUCKS!!
Submitted by mesiah on Tue, 03/31/2009 - 9:19pm
I know this isn't viable for everyone, but for anyone who uses their pc to store vital information, or just doesn't want the hassle of having it knocked out by a virus, you might concider this. I have a high end computer that I use for gaming and making secure transactions. Then I have a second ultra cheap Emachines computer that I paid $299 for (including monitor) that I use only for surfing the web. I don't run many programs on it. I don't really worry about viruses on it, and if something were to happen to it, none of my personal files are on there so a quick restore is pretty simple.
Virtual Machine
Submitted by One4yu2c on Wed, 04/01/2009 - 5:54am
Alternately, installing a Virtual Machine or running a Linux Live CD will allow you to surf dangerously with little cost and risk to your main OS.
Submitted by smashingpumpin on Tue, 03/31/2009 - 7:08pm
I just red an informative article from Yahoo about this. http://tech.yahoo.com/blogs/null/13246. To those of you going cold turkey for a day or two, this quote from the Yahoo article is for you: "Turning your PC off tonight and back on on April 2 will not
protect you from the worm (sorry to the dozens of people who wrote me
asking if this would do the trick). Temporarily disconnecting your
computer from the web won't help if the malware is already on your
machine -- it will simply activate once you connect again. Changing the
date on your PC will likely have no helpful effect, either. And yes,
Macs are immune this time out. Follow the above instructions to detect and remove the worm."As for the links to tools to remove it, I'm kind of a skeptic that it'll do the job but i'ts better than nothing and tried Symantecs tool and turned Windows Update "fully on" anyways. Goodluck on everyone tonight.
_______________________________________________
...hmm no Pr0n for a day or two? I can handle that hehehehe
LordTion
Submitted by metafuente on Tue, 03/31/2009 - 5:24pm
You are VERY wrong to think this is just hype and that it's a goofy April Fools joke. My recently built PC got hit by this thing, HARD and even though I stopped it fast, it took me 3 weekends to recover or find new version of my files. I'll be doing some console gaming for a week or so until I'm back on the web, this thing is nasty indeed! Hope the clowns behind it end up in a cell with angry Samoan (no offense) drag-queens (no offense again, you get the picture. :O
Submitted by comptech08 on Tue, 03/31/2009 - 5:56pm
you just cant say i am very wrong you do not know the answer either. Geesh i never get viruses and i do not use anti-virus software or any type of protection software. Its all about safe web habits. I dont download stupid stuff and i dont look at p0rn. If you keep getting viruses then its your fault not the internets.
If you don't use antivirus
Submitted by Keith E. Whisman on Tue, 03/31/2009 - 7:15pm
If you don't use antivirus software how do you know that you don't have a virus infection on your PC? I mean some viruses are very quiet and do all their work under the table. Like keyloggers and worms that use your PC to send spam to other pc's and all kinds of nasty stuff. Hell just being online without an antivirus program is dangerous.
You'll be sorry if you don't install an antivirus program. I bet you in you install an Antivirus program on your computer that you probably have at least one if not many security threats from malware, spyware to viruses.
Submitted by comptech08 on Tue, 03/31/2009 - 8:15pm
i am not a stupid when it comes to the internet thats why. And I also monitor my computers resources, processes, and performance, and do clean it everyday. I can tell if something is up. I also dont download stupid stuff.
The reason why i switched to no anti-virus was because i kept getting viruses. It didnt matter who i had. I had norton, AVG, CA, Avast, ect. I would eventually get a virus and used the same internet habits as i do today. So i did an experiment to see if i could do this without protection and it worked.
o_O
Submitted by GreenTurtle on Wed, 04/01/2009 - 12:22pm
?
Well, that's totally
Submitted by jcollins on Wed, 04/01/2009 - 11:36am
Well, that's totally confusing. The reason you switched to having NO anti-virus software is because you kept getting infected with viruses??? Sounds totally backwards there.
Submitted by comptech08 on Wed, 04/01/2009 - 11:55am
that is why i tried it, something different and it worked
Submitted by Keith E. Whisman on Tue, 03/31/2009 - 9:21pm
Well then you know better than I do. All I know is that my dad keeps uninstalling his antivirus software and then complains when his computer starts acting crazy. It's always a bad printer driver but I use the same driver with no problems.
Just going to popular websites without protection can get you infected.
I'm not stupid but I know it's better to be safe than sorry.
Sure I can drive my car without auto insurence but if I get into an accident or a cop pulls me over I'm completely screwed.
My AV software has no effect on the speed of my system and I rutinely play Crisis with all the eye candy turned on and I get the same frame rates as I do with my AV disabled. I just don't see any reason to risk driving without insurence or running my computer on an always on broadband connection without AV software. I'm running Norton Internet Security 2009 and it rules.
Submitted by comptech08 on Wed, 04/01/2009 - 5:16am
your car insurance story has nothing to do with a computer not having anti-virus software. first off its the law to have car insurance and not the law to anti-virus software. It has been 4 years since i went ant-virus software free and have not had a virus yet on my machine. And i use the computer everyday with the internet on 24/7.
Submitted by AntiHero on Wed, 04/01/2009 - 9:06am
I do not use my AV software (AVG paid version), it's there, on, and never scans, and I have only had one virus ever, downloaded by my mom on her XP Account. I download ISO images from gamecopyworld for my games and mount them to alcohol 120% all the time, I browse the internet regularly, and I never get viruses, especially as someone who uses Torrent downloads for music and viewing movies I don't feel are worthy of even a rental (or rogers has no copies left >_>) I'm a safe browser, if someone ups a cd to a torrent site, I look at the comments before downloading to see what people are saying about it, and I've never been steered wrong. The internet is like a city, safer to be on some streets than others, and avoid the dark, unexplored alleys. Regardless, I'm back on Ubuntu for the next couple of days until this blows over. When push comes to shove, my sig makes all the more sense.
I don't like Microsoft, I just associate with it.
Submitted by JonnyNYK on Wed, 04/01/2009 - 12:24pm
Its outright arrogant to think you won't ever get infected with just "Safe WebBrowsing". Although I believe it's best practice to stay away suspect websites, unknown email attachments and public hotspots, you can't control what another person does on your network. Worms can work thier way through the network onto your pc. I know because back home my brother always got himself into a virus and on some occasions found it's way onto my pc. I also know just because you have virus protection doesn't make you immune. It does a good job of batting away most problems, but it's not perfect. That's where doing a bit of homework comes in.
You also do realize that because you don't visibly notice something that's "up" doesn't mean your safe, right? You guys ever hear of a keylogger? Maybe a Trojan that's just looking for only a snippet of information like say...your logon for your bank account? Legit websites are prone to infection too buddy.
My computer is protected so it's no skin off my back, but if you're that arrogant it's only time before your humbled.
Submitted by Keith E. Whisman on Wed, 04/01/2009 - 1:57pm
I give up. We are not going to win. These anti antivirus people just have their minds made up. To them they are right and we are wrong. It's just not worth arguing about it with them. But I do have a problem with people like that convincing other people that going without AV software is the proper way to use the internet when it's not.
With this logic of no AV you probably agree that all guns should be banned so you have to rely on the cops to protect you from rapists and armed robbers and trust in these thugs and robbers not to kill you as they assult you and take your belongings. But at least you'll be able to call the cops afterword and they can investigate.
Go without AV is like going without a means to protect yourself. But I'm not going to argue with these anti AV guys I'm just going to try and convince others from going that route.
Submitted by winmaster on Sat, 04/04/2009 - 5:45pm
The replies to the original comment are becomming difficult to follow.
ANTI-VIRUS SOFTWARE IS A NECESSARY EVIL.
--------------------------------------------------------------------------------------------------
The quick brown fox jumps over the lazy dog.
Submitted by comptech08 on Tue, 03/31/2009 - 1:26pm
I have this feeling that this conflicker worm is a april fools joke in itself. All this hype about it getting everybody worried and trying to get protected, then April 1st comes and nothing happens, or it just attacks everbody on April 2nd and we still all die. So who knows :)
Lol
Submitted by DBsantos77 on Tue, 03/31/2009 - 1:31pm
I agree, but better be safe then sorry no? Haha
most likely
Submitted by Geeksquadmyss on Tue, 03/31/2009 - 2:52pm
nothing will happen but like i said before i got hit once and i to do a reinstall and lost a lot of stuff and im not taking any chances
Submitted by DBsantos77 on Tue, 03/31/2009 - 1:18pm
Everyone should check their updates to see if KB958644 is installed. Apparently this protects against this worm and was made in October '08....
Submitted by Geeksquadmyss on Tue, 03/31/2009 - 12:52pm
i got hit by this thing once (my family enjoys using my desktop and being careful at what they do on the internet. And its a real (c word here) it destroys your whole computer. Im backing up all my movies game saves etc and checking my pc! Its PC Armageddon, or could be
time to unplug the netword
Submitted by bingojubes on Tue, 03/31/2009 - 12:15pm
time to unplug the netword card+cable from my computer before bed. got enough offline games to play for a day or two, anyways. i can stand withouht the internets for a day i think...
Submitted by robtom on Tue, 03/31/2009 - 12:53pm
unplugging your computer won't work. If you've read anything at all about this you know then that it will wait until you can access the internet again and then recieve it's instructions.
Submitted by doomhart on Tue, 03/31/2009 - 11:48am
Put a link to this article on your email, facebook, myspace, twitter, friendster and other ways to contact your friends. Call your friends to go to maximum PC.
Good Luck to all tommorow.
Submitted by DBsantos77 on Tue, 03/31/2009 - 11:35am
WE'RE ALL GONNA DIE!!!!!!!
Thanks for the article, interesting read.
Submitted by AntiHero on Tue, 03/31/2009 - 11:57am
I second this. And in response to vista being vulnerable to executing it... turn UAC on for a secondary measure, more than likely it runs as admin though, so it could Bypass UAC. Things like this are why UAC was made. even though i have it turned off. I'm in the technical field for work, so when i mass email everyone i know to prepare, they damn well listen.
I don't like Microsoft, I just associate with it.
Submitted by LatiosXT on Tue, 03/31/2009 - 11:34am
An Extreme Tech article claims that "Windows Vista is technically vulnerable in this way (Windows RCP facilities exploit), but the exploit is almost impossible to execute on it. Anyone's take on this?
Submitted by Lord Omega on Tue, 03/31/2009 - 11:24am
I just downloaded and now scanning my PC with the Symantec tool jus to be on the safe side. I can access all major computer security sites, so that there says I am safe. I also did a test with a .exe name "ConfickrRemover.exe" and nothing happened.
Must Read Articles
Feature
Review
Feature
Feature
Feature
Most Popular Articles
This Month's Issue
FEATURE How to Get FREE Programs, Services, Software & MoreFEATURE Digital Photo Printer RoundupHOW TOBuild a 3D CameraFEATUREDIY Arcade PCWHITE PAPERHow TRIM Works
Technology News
Computer Cooling Fans
Computer Cases
PC Game Controllers
PC Games
Computer Hardware
Headphones
MP3 Players
Stream Video
Computer Mouse
Monitors
Motherboards
NAS Storage
Networking
Laptop Computers
DVD Burner
Digital Cameras
Portable Storage
Computer Accessories
Smartphone
Antivirus Software
Sound Cards
Speakers
Computer Systems
Thumb Drives
Video Cameras
Video Card Reviews
Water Cooling
Gadgets
- Keyboards
© 2009 Future US, Inc. All Rights Reserved.