Conficker

[Tripredacus]

As noted on the front page, along with my comment, Conflicker is showing up (again) and I've been having issues with it. Originally it came into our network via an unprotected (new install) server that got infected before we got the the Windows Update site. It had then infected both of my USB keys. We formatted that server and redid it and it was fine after that. I scanned my USB keys with our corporate Trend and cleaned them out.

Now what is happening is that while all of our systems are clean of it, the remnants keep reappearing! By that, I mean the SID folder in the Recycler directory, and the autorun.inf. As far as I can tell, the virus wasn't doing anything more than make these files, but it is not showing up on any of our scans anymore, but these files keep showing up every couple days on our UFDs.

Anyone else having a problem with this worm?

[James_A]

...

Anyone else having a problem with this worm?

Not personally, but it is estimated that only one in three Windows networks are fully patched against it and some 3 million computers are actually infected. (That last figure varies, depending on who you believe.)

Microsoft have even published a KB article with detailed removal instructions. See KB962007: Virus alert about the Win32/Conficker.B worm.

KB962007 is well worth a read, to check if you've missed something...

.

[James_A]

It seems my infection information is waaay out-of-date. Currently some 9 million computers are infected. That does not include anything (e.g. memory stick or external drive) connected via a USB port.

.

[Tripredacus]

I am wondering about this again. We have a customer that got it also. I checked my logs and we got it on the 14th, but it was only on my USB key. Trend cleaned out the rootkit and the autorun.inf but that isn't the virus itself. Those are just files it creates. This makes me thing that the virus does not propogate via other drives, in other words, it is not possible to spread it via UFDs.

Does this sound right? Our virus scan results are only finding the files it had created, not the virus itself. This leaves me in doubt that perhaps some of our servers are still infected with the virus but isn't being detected?

[James_A]

It IS possible to spread Conficker (a.k.a Downadup a.k.a Kido) via any external drive/USB device, provided AutoRun or AutoPlay is enabled.

I'm not sure how much you already know about Conficker, so apologies if you already know what follows...

The worm uses three separate modes of propagation:

1. Via Autorun.inf+a randomly-named file in the RECYCLER\... folder
   
2. Via network shares (Inside a network it goes hunting for Servers to (re-)infect)
   
3. Via the MS08-067/kb958644 vulnerability
   

Most people seem to be making the mistake that once you have patched with kb958644 your troubles are over. Not so. At the very least you need to disable AutoRun and AutoPlay, then disinfect the entire network including all devices that attach to a USB port. Remember also that AutoRun is broken in Windows (including XP, 2003 and Vista), unless you have patched with kb950582, so a Group Policy to disable this may not work. See http://support.microsoft.com/kb/953252 for more information.

Network propagation of Conficker includes increasing the max number of half-open tcp connections to 268435456; hunting for servers and users with NetServerEnum and NetUserEnum, password cracking, taking over the DNS API and blocking Microsoft and most well-known AV and Security websites......

The AV vendor F-Secure (who are, I think, bigger in Europe than in the USA) have plenty of useful information on this, including:

When is AUTORUN.INF really an AUTORUN.INF?

and

F-Secure Malware Information Pages: Worm:W32/Downadup.AL

If you cannot reach www.f-secure.com, then you are already infected with Conficker.

.

[Tarun]

I've heard running this program from Symantec is supposed to help.

[James_A]

Yes, that's one of three tools I know of that you can use to disinfect with (the others being F-Secure's tool and Microsoft's own MRT version 2.6 - January 2009).

Symantec have a write-up of their W32.Downadup Removal Tool HERE, but they do say that you should disconnect each computer from the network to use it:-

Important:

* If you are on a network or have a full-time connection to the Internet, such as a DSL or cable modem, disconnect the computer from the network and Internet. Disable or password-protect file sharing, or set the shared files to Read Only, before reconnecting the computers to the network or to the Internet. ...

The above instructions do seem to be written with home users more in mind, as I can't see large networks doing that to every computer one-by-one!! However, since the worm very aggressively protects itself and floods the network with half-open connections, it may have to be taken down or partially taken-down anyway.

F-Secure's tool is available HERE.

Of course, the infected computer will not be able to connect to either Symantec or F-Secure, since Conficker (a.k.a. Downadup) blocks both. F-Secure suggest using their raw IP address, which is ftp://193.110.109.53/anti-virus/tools/beta/.

I have already mentioned Microsoft's removal instuctions in my previous post. They now have a new blog post with more information and useful links HERE.

US-CERT have also issued an alert HERE

Their images illustrate that, in a network, a missing MS08-067 patch is not your only problem. For example:-

.

[James_A]

The SANS Internet Storm Center (SANS ISC) have just posted some interesting new information about Conficker/Downadup, in the handler's diary: Some tricks from Conficker's bag.

First, there is some additional technical detail of an already-known behaviour of Conficker, namely the ability to patch the MS08-067 vulnerability in memory. Unless you have applied the REAL patch, this brings with it the risk of re-infection when disinfecting.

Secondly, Conficker uses an undocumented function to deletea all System Restore points. That is why you cannot remove Conficker by returning to an earlier Restore Point. On the plus side, this does save you from searching and deleting Restore Points when disinfecting!!!

There are some 24 undocumented functions of srclient.dll, including the ResetSR() function used by Conficker, in addition to the documented SRSetRestorePointA() / SRSetRestorePointW() and SRRemoveRestorePoint().

For the curious, a full list can be found on the Sysinternals forum: http://forum.sysinternals.com/forum_posts.asp?TID=15352 in the second post.

.