My computer is not up to date, will the conficker affect my computer?

[Edris]

I'm REALLY scared about the virus tomorrow. My friend told me that the person hacks into your myspace or facebook and all your personal and kills you or makes your photos into like nude pictures or whatever. If shutting down my computer isn't going to help, what the heck am I supposed to do?

[The Angry Grandma]

Update update update!
Be sure you have an antivirus and antispyware

[BillM]

What Happens on April 1, 2009?




Computers previously infected with the Conficker worm will begin to use specially crafted instructions to contact web domains owned by the attackers with the intent to find ways to spread (worm) Conficker to other computers to infect.


What does the Conficker worm do?




We don’t know the purpose of the Conficker worm. We have evidence that the creators of the worm can connect to an infected computer to remotely install software and possibly steal information. What will that software do? Most likely the worm will be used to create a botnet that will be “rented” out to criminals who want to send SPAM, steal IDs and direct users to online scams and phishing sites.

The Conficker worm mostly spreads across networks. If it finds a vulnerable computer, it turns off the automatic backup service, deletes previous restore points, disables many security services, blocks access to a number of security web sites and opens infected machines to receive additional programs from the malware’s creator. The worm then tries to spread itself to other computers on the same network.




How does the worm infect a computer?


Conficker, also known as the Downadup worm, tries to take advantage of a problem with Windows (a vulnerability) called MS08-067 to quietly install itself. Users who automatically receive updates from Microsoft are already protected from this. The worm also tries to spread by copying itself into shared folders on networks and by infecting USB devices such as memory sticks.


Who is at risk?





Users whose computers are not fully patched and receiving updates from GDIT’s System Management agent (SCCM) or directly from Microsoft and who are not running an up to date antivirus product are most at risk.


Ensure your Symantec Antivirus is up-to-date and actively running.


1. Your Symantec Antivirus program should be configured to receive updated signatures that have the latest information to identify and prevent th <<image001.jpg>> e variant of the worm from running on your computer. Please follow these instructions to help determine if your Symantec AV program is up-to-date (you must be connected to the Internet):

1. From your computer, open the Symantec AV console (from the system tray double-click the yellow, PC mouse-looking icon). The icon looks like this: cid:image001.jpg@01C9B1EC.32543F30

2. Check the Program Versions section, the Scan Engine should be 81.3.0.13

3. If the Scan Version is not at this level then call the GDIT IT Service Desk and Support for assistance

4. Next, check your Virus Definitions File section, the version should be at a minimum of 3/29/2009 rev. 3

5. If the version is not current then click the LIveUpdate button à Click the Next button --> It will go out to Symantec's website and automatically download the latest version

6. If your system is prevented (confirm that you have Internet access) from accessing the Symantec website call IT Service Desk and Support immediately for assistance.

7. From the pull-down menu, choose Scan and select Full Scan. Click the Scan button and allow Symantec to perform a complete scan.

8. If Symantec finds a virus please contact the IT Service Desk and Support for assistance.

To reiterate, if your computer does not have the latest Program Version or Virus Definitions or it is prevented from accessing the Symantec website to receive the latest signatures please contact the IT Service Desk and Support and immediately.


Advice to Stay Safe from the Downadup Worm:


* Periodically check the Symantec AV console to ensure you are receiving Program and Virus Definitions and they are not out of date.

* Keep your computer updated with the latest patches. This includes Microsoft Operating and Office updates (every 2nd Tuesday of every Month), and Adobe Flash Player, Acrobat and Reader programs, If you don’t know how to do this contact IT Service Desk and Support to assist you.

* Don’t use “free” security scans that pop up on many web sites. All too often these are fake, using scare tactics to try to get you to purchase their “full” service. In many cases these are actually infecting you while they run. There is reason to believe that the creators of the Conficker worm are associated with some of these fake security products.

* Be smart with your passwords. This includes

o Change your passwords periodically as per GDIT Policy

o Use complex passwords – no simple names or words, use special characters and numbers

Contact Information:



IT Service Desk: http://servicedesk.gdit.com/

IT Expanded Support Line: local to Massachusetts.: 781-455-5020,

Long Distance: 800-663-8315



* GDIT Information Security Risk Manager: 703-818-5187

[Jon J]

Read and follow the intruction on how to remove or prevent infection

Prevention and Information about Conficker Computer Virus
http://www.review-ninja.com/2009/03/conf...scare.html

[Martial H]

General Methods of propagation:
• Local network
• Mapped network drives


Aliases:
• Symantec: W32.Downadup.B
• Kaspersky: Net-Worm.Win32.Kido.fw
• F-Secure: Worm:W32/Downadup.gen!A
• Sophos: Mal/Conficker-A
• Panda: Trj/Downloader.MDW
• Grisoft: I-Worm/Generic.CJY
• Eset: a variant of Win32/Conficker.AE worm
• Bitdefender: Win32.Worm.Downadup.Gen

Similar detection:
• Worm/Kido


Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003


Side effects:
• Registry modification
• Makes use of software vulnerability
• Third party control

Files It copies itself to the following locations:
• %all shared folders% \RECYCLER\S-%number%\%random character string%.vmx
• %ProgramFiles%\Internet Explorer\%random character string%.dll
• %ProgramFiles%\Movie Maker\%random character string%.dll
• %System%\%random character string%.dll
• %Temp%\%random character string%.dll
• %ALLUSERSPROFILE%\Application Data\%random character string%.dll



The following file is created:

– %all shared folders%\autorun.inf This is a non malicious text file with the following content:
• %random comments%
shellexecute rundll32.exe %paths and filenames of malware copies%,%random character string%
%random comments%

Registry The following registry keys are added in order to load the service after reboot:

– HKLM\SYSTEM\CurrentControlSet\Services\%random words%\
Parameters\
• ServiceDll" = "%paths and filenames of malware copies%"

– HKLM\SYSTEM\CurrentControlSet\Services\%random words%\
• "ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs
"Type" = "4"
"Start" = "4"
"ErrorControl" = "4"



The following registry keys are changed:

– [HKLM\SYSTEM\CurrentControlSet\Services\wscsvc]
Old value:
• "Start"=dword:00000003
New value:
• "Start"=dword:00000004

– [HKLM\SYSTEM\CurrentControlSet\Services\wuauserv]
Old value:
• "Start"=dword:00000003
New value:
• "Start"=dword:00000004

– [HKLM\SYSTEM\CurrentControlSet\Services\BITS]
Old value:
• "Start"=dword:00000003
New value:
• "Start"=dword:00000004

– [HKLM\SYSTEM\CurrentControlSet\Services\ERSvc]
Old value:
• "Start"=dword:00000003
New value:
• "Start"=dword:00000004

– HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
New value:
• "Hidden"=dword:00000002
"ShowCompColor"=dword:00000001
"HideFileExt"=dword:00000000
"DontPrettyPath"=dword:00000000
"ShowInfoTip"=dword:00000001
"HideIcons"=dword:00000000
"MapNetDrvBtn"=dword:00000000
"WebView"=dword:00000000
"Filter"=dword:00000000
"SuperHidden"=dword:00000000
"SeparateProcess"=dword:00000000

Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


IP address generation:
It creates random IP addresses while it keeps the first three octets from its own address. Afterwards it tries to establish a connection with the created addresses.


Infection process:
It makes the compromised machine download the malware from the infected source computer.
The downloaded file is stored on the compromised machine as: .\RECYCLER\S-%number%\%random character string%.vmx

Hosts – Access to the following domains is effectively blocked:
• ahnlab; arcabit; avast; avg.; avira; avp.; bit9.; ca.; castlecops;
centralcommand; cert.; clamav; comodo; computerassociates; cpsecure;
defender; drweb; emsisoft; esafe; eset; etrust; ewido; f-prot;
f-secure; fortinet; gdata; grisoft; hacksoft; hauri; ikarus; jotti;
k7computing; kaspersky; malware; mcafee; microsoft; nai.;
networkassociates; nod32; norman; norton; panda; pctools; prevx;
quickheal; rising; rootkit; sans.; securecomputing; sophos; spamhaus;
spyware; sunbelt; symantec; threatexpert; trendmicro; vet.; virus;
wilderssecurity; windowsupdate


Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:
• http://www.getmyip.org
• http://www.whatsmyipaddress.com
• http://getmyip.co.uk
• http://checkip.dyndns.org


Checks for an internet connection by contacting the following web sites:
• baidu.com; google.com; yahoo.com; msn.com; ask.com; w3.org; aol.com;
cnn.com; ebay.com; msn.com; myspace.com


File patching:
In order to increase the number of maximum connections it has the capability to modify the tcpip.sys. It may result in a corruption of that file and break network connectivity.

Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.


Method used: