Spyware, viruses, & security : How to remove the Downadup and Conficker worm
- 1/24/09 8:44 AM
How to remove the Downadup and Conficker worm
by Marianna Schmudlach - 1/24/09 8:44 AM
(Uninstall Instructions)
Thanks to Grinler for the instructions !
What this programs does:
The Downadup, or Conficker, infection is a worm that predominantly spreads via exploiting the MS08-067 Windows vulnerability, but also includes the ability to infect other computers via network shares and removable media. Not since the Sasser and MSBlaster worms have we seen such a widespread infection as we are seeing with the Downadup worm. In fact, according to anti-virus vendor, F-Secure, the Downadup worm has infected over 8.9 million infected computers. Microsoft has addressed the problem by releasing a patch to fix the Windows vulnerability, but there are still many computers that do not have this patch installed, and thus the worm has been able to propagate throughout the world.
When installed, Conficker / Downadup will copy itself to your C:\Windows\System32 folder as a random named DLL file. If it has problems copying itself to the System32 folder, it may instead copy itself to the %ProgramFiles%\Internet Explorer or %ProgramFiles%\Movie Maker folders. It will then create a Windows service that automatically loads this DLL via svchost.exe, which is a legitimate file, every time you turn on your computer. The infection will then change a variety of Windows settings that will allow it to efficiently infect other computers over your network or the Internet.
MORE: http://www.bleepingcomputer.com/malware-removal/remove-downadup-conficker
thx
by asgold - 3/1/09 12:20 AM In reply to: How to remove the Downadup and Conficker worm by Marianna Schmudlach
thanks for the update and for link, it worked for me and i got rid of that worm 
(NT) Super _ thanks for letting us know :)
by Marianna Schmudlach - 3/1/09 7:42 AM
In reply to: thx by asgold
Conficker modified for more mayhem
by Marianna Schmudlach - 3/9/09 11:37 AM
In reply to: How to remove the Downadup and Conficker worm by Marianna Schmudlach
9 March 2009
According to Symantec the Conficker worm has been modified to cause more damage. Previously the worm had only contacted about 250 domains a day, to look for commands and download new code. Symantec report that there is a new variant of Conficker using an algorithm which will contact up to 50,000 domains a day. The new domain generation algorithm also uses one of a 116 possible domain suffixes.
This is expected to make life harder for anti-virus specialists, ICANN and OpenDNS to block the domains that Conficker will use and makes it much more likely that Conficker will be generating addresses that point to legitimate sites. Although Conficker generates the domain name from a random combination of letters and should be creating domains that point to largely unused addresses, it is possible to find companies who have domains who's names match the generated addresses. For example, the previous generation of the worm is expected to call wnsux.com on March 13th, a domain owned by Southwest Airlines.
More: http://www.h-online.com/security/Conficker-modified-for-more-mayhem--/news/112802
Romanians find cure for conficker
by Marianna Schmudlach - 3/14/09 4:27 PM
In reply to: How to remove the Downadup and Conficker worm by Marianna Schmudlach
BitDefender has released what it claims is the first vaccination tool to remove the notorious Conficker virus that infected some 9 million Windows machines in about three months.
More and removal tool : http://www.networkworld.com/news/2009/031209-romanians-find-cure-for.html
(NT) I hope it covers the latest Conficker virus as well :)
by darkdestiny7 - 3/16/09 7:25 PM In reply to: Romanians find cure for conficker by Marianna Schmudlach
Sophos now has a conficker removal tool also.
by roddy32 - 3/18/09 11:40 AM
In reply to: How to remove the Downadup and Conficker worm by Marianna Schmudlach
2 different versions, one for a network and one for NON network. Instructions say it is best to download to a CD on to a NON infected machine. You also need to create a Sophos account.
http://www.sophos.com/support/knowledgebase/article/54457.html
Interesting Conficker C analysis published
by Marianna Schmudlach - 3/19/09 9:43 PM
In reply to: How to remove the Downadup and Conficker worm by Marianna Schmudlach
The folks over at SRI have published an interesting additional information on Conficker.C. Worth reading. Link here.
In this addendum report, we summarize the inner workings and practical implications of this latest malicious software application produced by the Conficker developers. In addition to the dual layers of packing and encryption used to protect A and B from reverse engineering, this latest variant also cloaks its newest code segments, along with its latest functionality, under a significant layer of code obfuscation to further hinder binary analysis. Nevertheless, with a careful mixture of static and dynamic analysis, we attempt here to summarize the internal logic of Conficker C.
Alex Eckelberry
http://sunbeltblog.blogspot.com/index.html
Hype, April fool's day, and the Conficker worm
by Marianna Schmudlach - 3/27/09 8:34 AM
In reply to: How to remove the Downadup and Conficker worm by Marianna Schmudlach
"Millions of computers around the world could go into meltdown on April 1 because of a deadly virus."
Those are the words from a report in today's soaraway Sun, a British tabloid newspaper.
With that kind of talk in a national newspaper (and there are plenty of other examples in the media at the moment) you could understand why some companies and home users might be worried about what might happen next Wednesday.
Well, as I've already mentioned on the blog, no-one knows what Conficker might or might not do on April 1st.
It's quite possible that Conficker will not do anything significant on April 1st. Certainly it won't be "deadly" and your computers won't melt.
More: http://www.sophos.com/blogs/gc/
Websense - Update on Conficker.C
by Marianna Schmudlach - 3/30/09 3:23 PM
In reply to: How to remove the Downadup and Conficker worm by Marianna Schmudlach
Date:03.30.2009
Threat Type: Malicious Web Site / Malicious Code
April's approach has created a lot of chatter about Conficker, a worm largely considered to be one of the most widespread infections in recent years. Some estimates put peak infection at over 10,000,000 hosts.
A large effort has been made by the white-hat community and the Conficker Cabal Group to mitigate Conficker infections, and with success. The current estimate indicates that the number of infected hosts has fallen to 1 to 2 million, which is still a very large number when factored against recent bot counts.
There is a good deal of speculation about what's going to happen on April 1, a special date that is hard coded into the latest variant of the worm's binary file. The wider Internet community is fortunate in that some very good research has been conducted into the different variants of the worm: A, B, B++ & C.
More: http://securitylabs.websense.com/content/Alerts/3329.aspx
Busted! Conficker's Tell-Tale Heart Uncovered
by Grif Thomas - 3/31/09 12:03 PM
In reply to: How to remove the Downadup and Conficker worm by Marianna Schmudlach
Security experts have made a breakthrough in their five-month battle against the Conficker worm, with the discovery that the malware leaves a fingerprint on infected machines that is easy to detect using a variety of off-the-shelf network scanners.
The finding means that, for the first time, administrators around the world have easy-to-use tools to positively identify machines on their networks that are contaminated by the worm. As of mid-Monday, signatures will be available for at least half a dozen network scanning programs, including the open-source Nmap, McAfee's Foundstone Enterprise and Nessus, made by Tenable Network Security.
http://www.theregister.co.uk/2009/03/30/conficker_signature_discovery/
Hope this helps.
Grif
Please, the world is NOT ending on April 1
by Marianna Schmudlach - 3/31/09 2:56 PM
In reply to: How to remove the Downadup and Conficker worm by Marianna Schmudlach
Some people are getting hysterical about Conficker’s deadly payload on April 1.
elax.
Randy Abrams at ESET does a nice job of explaining the situation:
Yeah, Conficker is a serious problem, but not for home and corporate users who employ best practices already. The real problem is for the security professionals trying to prevent the worm from impacting the millions of people who fail to learn anything about security.
So, you still want to protect against Conficker? Here is what to do. Make sure that the Windows Security center is functioning and you are up to date on your Microsoft security patches. You can go to http://update.microsoft.com to manually check for updates. Make sure you’re antivirus product is up to date. Your antivirus product should be tested by Virus Bulletin (www.virusbtn.com) and/or certified by ICSA Labs, or have West Coast Labs Checkmark certification. Send me an email at askeset@eset.com if you need help determining this. Exercise caution in what websites you visit and never open attachments unless you have verified that you know the person who sent them and that they really meant to send the attachment and that they also know what it is. These instructions are not specifically for Conficker, this is simply part of how you protect against all of the threats out there.
More: http://sunbeltblog.blogspot.com/index.html
Conficker World Maps
by Marianna Schmudlach - 4/2/09 7:19 AM
In reply to: How to remove the Downadup and Conficker worm by Marianna Schmudlach
Thursday, April 2, 2009
Where in the world are the Conficker-infected machines today?
Shadowserver and Conficker Working Group have the maps:
http://www.f-secure.com/weblog/
Post April 1st Conficker Q&A
by Marianna Schmudlach - 4/2/09 4:24 PM
In reply to: How to remove the Downadup and Conficker worm by Marianna Schmudlach
Thursday, April 2, 2009
As we posted Conficker Q&A prior to April 1st it wouldn't be right if we didn't do one after the event.
Q: First off, how do I know if I'm infected?
A: Joe Stewart has created a very simple test that's available at the Conficker Working Group's site. Click here to try it out. If it says you're infected you can find a bunch of removals tools on the same site, including F-Secure's.
More: http://www.f-secure.com/weblog/
Simple Conficker test for end users
by Marianna Schmudlach - 4/3/09 8:04 AM
In reply to: How to remove the Downadup and Conficker worm by Marianna Schmudlach
3 April 2009
Joe Stewart of SecureWorks has developed a simple test which reveals at a glance whether or not a system has been infected with one of the wide-spread versions of Conficker. The H now offers our own version of this test page.
Once a Conficker infection is suspected on a system, the anti-virus software installed on that system can no longer be trusted. The malware terminates a number of security mechanisms and prevents the start of certain programs. The new test is based on the fact that Conficker blocks access to various security and anti-virus pages. It includes a page that shows images of normal and of blocked sites. If only the images of the AV vendors are missing, there is a high likelihood that the computer has been infected with Conficker – or with another type of malware that behaves in a similar way.
More: http://www.h-online.com/security/Simple-Conficker-test-for-end-users--/news/112995
| Forum legend: | |
 |
Locked thread |
 |
Moderator |
 |
CNET staff |
 |
Samsung staff |
 |
Norton Authorized Support team |
 |
AVG staff |
 |
Windows Outreach team |
 |
Dell staff |
 |
Intel staff |
%20I%20hope%20it%20covers%20the%20latest%20Conficker%20virus%20as%20well%20:)%20-%20CNET%20Spyware,%20viruses,%20%26%20security%20Forums&srcUrl=http://forums.cnet.com/5208-7813_102-0.html?messageID%3D3004148){kind=small}