image thumb6 April 1st is coming beware of the Conficker worm and impending doom. Have you heard about the Conficker worm? It has been all over the media

Before you even continue reading make sure your Windows XP machine is patched up to Service Pack 3 and your Vista Machines are Service Pack 1. Now check out this information from the Symantec website:

The Conficker worm, sometimes called Downadup or Kido has managed to infect a large number of computers. Specifics are hard to come by, but some researchers estimate that millions of computers have been infected with this threat since January. Current users of Symantec’s Norton security products are protected. Users who lack protection are invited to download a trial version of Norton AntiVirus 2009,Norton Internet Security 2009 or Norton 360. All of these products will detect and remove this worm. Symantec has a detailed technical analysis of the threat here.

So even if Symantec is not being paid to protect your machine they will still help you out with removing Conficker. This is just another variant of an older worm and it is set to mutate again on the 1st.

We poked around the web a bit more and came across this on Cnet:

Even worm creators write buggy software.

Once it infects a computer, the Conficker worm closes the hole in Windows that it used to get onto the system so no other malware can get in. This also makes it difficult for organizations to detect which computers have the legitimate Microsoft patch and which have the fake Conficker patch.

Wow! Isn’t that nuts? They go on to say they have developed a proto-type of a scanner that can pick up the infection from Conficker. You can read the rest of that article here http://news.cnet.com/8301-1009_3-10207375-83.html. Read more after the jump.

Good news if you are using OpenDNS or are in the government:

The U.S. Department of Homeland Security has released a Conficker detection tool for government agencies and state and local governments to use that ws developed by US-CERT.

The OpenDNS security services provider blocks access to the domains listed in the Conficker code. Microsoft has more information on its site, as does Symantec. The Web site of the Conficker Working Group, which is composed of companies allied to combat Conficker, also has information and worm removal tools.

What does the Conficker worm do?

We don’t know the purpose of the Conficker worm. Today the worm has created an infrastructure that the creators of the worm can use to remotely install software on infected machines. What will that software do? We don’t know. Most likely the worm will be used to create a botnet that will be rented out to criminals who want to send SPAM, steal IDs and direct users to online scams and phishing sites.
The Conficker worm mostly spreads across networks. If it finds a vulnerable computer, it turns off the automatic backup service, deletes previous restore points, disables many security services, blocks access to a number of security web sites and opens infected machines to receive additional programs from the malware’s creator. The worm then tries to spread itself to other computers on the same network.

How does the worm infect a computer?

The Downadup worm tries to take advantage of a problem with Windows (a vulnerability) called MS08-067 to quietly install itself. Users who automatically receive updates from Microsoft are already protected from this. The worm also tries to spread by copying itself into shared folders on networks and by infecting USB devices such as memory sticks.

Who is at risk?

Users whose computers are not configured to receive patches and updates from Microsoft and who are not running an up to date antivirus product are most at risk. Users who do not have a genuine version of Windows from Microsoft are most at risk since pirated system usually cannot get Microsoft updates and patches.

What to do if you are infected

Use your Norton product to identify which variant of the worm is on your computer.

Follow the detailed removal instructions for the specific version of the of the worm. These can be found here:
W32.Downadup.A writeup
W32.Downadup.B writeup
W32.Downadup.C writeup

Advice to Stay Safe from the Downadup Worm:

Run a good security suite (we are partial to Norton Internet Security and Norton 360).

Keep your computer updated with the latest patches. If you don’t know how to do this, have someone help you set your system to update itself.

Don’t use “free” security scans that pop up on many web sites. All too often these are fake, using scare tactics to try to get you to purchase their “full” service. In many cases these are actually infecting you while they run. There is reason to believe that the creators of the Conficker worm are associated with some of these fake security products.

Turn off the “autorun” feature that will automatically run programs found on memory sticks and other USB devices.

Be smart with your passwords. This includes

  1. Change your passwords periodically
  2. Use complex passwords – no simple names or words, use special characters and numbers
  3. Using a separate, longer password for each site that has sensitive personal information or access to your bank accounts or credit cards.

Additional Reading:

Conficker flaw reveals which computers are infected

Researchers find flaw in Conficker that lets them detect which computers have the legitimate Microsoft patch and which were “patched” by the worm itself.
• Conficker demonstrates complexity of IT security
(Posted in Security by Elinor Mills)
March 30, 2009 1:54 p.m. PDT

090330 virus April 1st is coming beware of the Conficker worm and impending doom.

Podcast: Conficker worm dissected

David Perry, education director of Internet security company Trend Micro, discusses the implications of the worm.
(Posted in Larry Magid at Large by Larry Magid)
March 30, 2009 11:04 p.m. PDT

Conficker worm might originate in China

A Vietnamese security firm concludes that the Conficker worm has the same root as the Nimda, which the firm believes originated in China.
• Malware probes find a China angle
(Posted in Security by Dong Ngo)
March 29, 2009 7:30 p.m. PDT

’60 Minutes’: What’s next for the Conficker worm?

A report on the CBS News television news program examines one of the Internet’s most dangerous computer worms.
(Posted in Security by CBS Interactive staff)
March 29, 2009 7:00 p.m. PDT

FAQ: Conficker time bomb ticks, but don’t expect boom

Worm’s latest variant is set to start hitting random domains on April 1. But security experts say the damage might not be as serious as the hype suggests.
• U.K. parliament computers get Confickered
(Posted in Security by Elinor Mills)
March 25, 2009 5:10 p.m. PDT

What are you doing to stay safe? Share it with us in the comments!

_TheDoTheWormAdmiN_