Recently my laptop has received numerous threats of virus coming from our office network called WIN32Conficker.A worm and some of its aliases is given below;
Win32/Conficker.A (Microsoft), Crypt.AVL (AVG), Mal/Conficker-A (Sophos), Trojan.Win32.Pakes.lxf (F-Secure), Trojan.Win32.Pakes.lxf (Kaspersky), W32.Downadup (Symantec), Worm:Win32/Conficker.B (Microsoft), WORM_DOWNAD.A (Trend Micro)
I was shocked and worriedly thinking, “has my laptop has been infected?” I rushly looked for any solutions in the net about the said virus and some solutions. I’ve carefully red in the section of mcafee antivirus about the virus characteristics and how dangerous it is:
Quoted from Mcafee:
Virus Characteristics
When executed, the worm copies itself using a random name to the %Sysdir% folder.
(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)
It modifies the following registry key to create a randomly-named service on the affected syetem:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\”ServiceDll” = “Path to worm”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\”ImagePath” = %SystemRoot%\system32\svchost.exe -k netsvcs
Attempts to download a malware file from the remote website: (Rogue Russian site is up but not serving file anymore)
hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe
Starts a HTTP server on a random port on the infected machine to host a copy of the worm.
Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.
Analyzed malware does not have autorun or email capabilities.
Indications of Infection
This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.
Method of Infection
This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate.
Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.
Upon detection of this worm the system should be rebooted to clean memory correctly.
source taken: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=153464
Quoted from Microsoft:
“[The worm] opens a random port between port 1024 and 10000 and acts like a web server. It propagates to random computers on the network by exploiting MS08-067. Once the remote computer is exploited, that computer will download a copy of the worm via HTTP using the random port opened by the worm. The worm often uses a .JPG extension when copied over and then it is saved to the local system folder as a random named dll.”
And hopefully, i found some fixes and solutions that can help us.
1. F-Secure Solution:
Removal tool specific to remove this conficker/Downadup worm, Download here = ftp://ftp.f-secure.com/anti-virus/tools/DownadupRemovalTool.zip
2. Mcafee provided solution:
- Users infected by W32/Conficker.worm should perform an On Demand Scan to remove remnants of the worm in memory using the latest DATs(Mcafee Site).
- Upon detection of W32/Conficker!mem and REBOOT, the W32/Conficker.worm malware components will be removed.
3. Trend Micro Solution:
Before deploying the sysclean package, you need to apply Microsoft MS08-067 Critical System Patch first.
Please do the following:1. Download and extract the sysclean package.
2. Download the latest Controlled Pattern File (CPR).
3. Download the latest Detection and Cleanup (Trend Micro Anti-Spyware) or the Ssapiptn.Da5 file.
4.Using GPO or any third party deployment tool (i.e. SMS or BigFix), copy items 1-3 to the infected computer.
5. Execute sysclean.com/FULLSILENT.
6. Reboot the infected computer.
Beyond of all solutions that has been provided, to ensure that you willl not be attacked by this virus again, make sure your Windows System is always updated (especially the Windows MS08-067 patch from October), also your Antivirus/Firewall Security.
