Kukuruzman

Worm Conficker

by Kukuruzman on Jan.22, 2009, under Viruses

In this article I’ll try to describe how to remove Worm Conficker from your system.

Depends on the antivirus program you have, this worm can be detected with different names:

- Symantec: W32.Downadup.B
- Kaspersky: Net-Worm.Win32.Kido.fw
- F-Secure: Worm:W32/Downadup.gen!A
- Sophos: Mal/Conficker-A
- Panda: Trj/Downloader.MDW
- Grisoft: I-Worm/Generic.CJY
- Eset: a variant of Win32/Conficker.AE worm
- Bitdefender: Win32.Worm.Downadup.Gen

The easiest way to detect that you are infected is to try access these websites:

http://update.microsoft.com

http://www.kaspersky.com/

http://drweb.com/

This is not the whole list of websites that can be blocked. In such way virus tries

to prevent you update antivirus definition files and Windows system.

You will also get your AutomaticUpdates and BITS services disabled on the infected machine.

The Server and Workstation services can be disabled as well.

In our environment we determined three possible ways for its spreading:

1. Using autorun on the removable storage devices like USB sticks or external USB hard drives.

On the removable drive it creates autorun.inf file and RECYCLED folder.

The best way to prevent this worm spreading through the autorun is to disable autorun possibility

on your workstations. To disable it you just have to edit your regestry:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

After regestry modifications reboot your PC.

To enable the autorun you have to remove “Autorun.inf ” key and reboot the PC.

Note!!!

These regestry entry was tested on WindowsXP only.

2. This worm tries to hide itself as image file:

- .bmp

- .gif

- .png

- .jpg

3. Worm can spread over the network using Windows vulnerability in RPC service.
When worm gets on your PC, it copies itself to the following locations:

- %all shared folders% \RECYCLER\S-%number%\%random character string%.vmx

- %ProgramFiles%\Internet Explorer\%random character string%.dll

- %ProgramFiles%\Movie Maker\%random character string%.dll

- %System%\%random character string%.dll

- %Temp%\%random character string%.dll

- %ALLUSERSPROFILE%\Application Data\%random character string%.dll

The following registry keys are added in order to load the service after reboot:

- HKLM\SYSTEM\CurrentControlSet\Services\%random words%\Parameters\

ServiceDll” = “%paths and filenames of malware copies%
- HKLM\SYSTEM\CurrentControlSet\Services\%random words%\

“ImagePath” = %SystemRoot%\system32\svchost.exe -k netsvcs

“Type” = “4″

“Start” = “4″

“ErrorControl” = “4″
It uses the following login information in order to gain access to the remote machine,

so it is better to change weak passwords like “11111″ or “admin”.

You can also see tries to connect to these websites:

http://www.getmyip.org
http://www.whatsmyipaddress.com
http://getmyip.co.uk
http://checkip.dyndns.org

Virus do this to get your external IP address and send it to the “bad people”,

which allows them to control your system in future.

Here are the steps we performed to remove this worm in our network:

If you have domain and you have infected machines in it DONT login to the

damaged PCs with DOMAIN ADMINISTRATOR account when PC is connected to the

network - use local admin.

1. Disable network connection on the infected PCs;

2. Disable System Restore on the infected PCs;

3. Download MS08-67 vulnerability fix :

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

4. Run following tool on the infected system to remove the worm :

Microsoft® Windows® Malicious Software Removal Tool

You can obtain some other removing tools if you don’t trust Microsoft:

Bitdefender removal tool
Symantec removal tool

or just use Google to find one you’d like more.

5. Restart the PC and install the fix from Microsoft to prevent the machine to be infected

in the future;

6. Plug in your network cable;

7. Update your antivirus program.;

8. Rerform Full System Scan with your antivirus program.

Hope this helps you to kill the worm on your systems.

Good luck!

Related links:

http://en.wikipedia.org/wiki/Conficker

http://www.eset.com/threat-center/blog/?p=433

http://www.avira.com/en/threats/section/fulldetails/id_vir/4474/worm_conficker.html

http://support.microsoft.com/kb/962007

http://vil.nai.com/vil/content/v_153464.htm

:, ,
17 comments for this entry:
  1. Pashko
    January 22nd, 2009 on 07:58

    Very helpful article! Thanx!

  2. Aleksey
    January 22nd, 2009 on 16:11

    The best way to remove the virus problem is to use linux, dude :

  3. Aleksey
    January 22nd, 2009 on 16:16

    And good article by the way ;)

  4. Pashko
    January 22nd, 2009 on 17:08

    Let the holywar begin!

  5. Timur I.
    January 28th, 2009 on 07:22

    Good work! Thank you!
    I always wanted to write in my site something like that. Can I take part of your post to my blog?
    Of course, I will add backlink?

    Regards, Timur I. Alhimenkov

  6. Kukuruzman
    January 28th, 2009 on 07:32

    @Timur I.
    Thanx for your feedback. Hope it helped you.
    Sure you can take part of it.
    Please don’t forget the backlink ;-)

  7. Theosyhom
    January 31st, 2009 on 08:33

    kukuruzman.com - cooooolest domain name)))

  8. brirlAbsoks
    February 1st, 2009 on 10:11

    kukuruzman.com - now in my rss reader)))

  9. Raiddinee
    February 3rd, 2009 on 22:37

    yo, kukuruzman.com great name for site)))

  10. Thiscecyfef
    February 4th, 2009 on 12:32

    Hello, I can’t understand how to add your blog ( kukuruzman.com ) in my rss reader

  11. Gakealtewly
    February 5th, 2009 on 04:38

    Hi there

    If anyone knows or provide..

    I need UK VPN account.. (to bypass unblock etc..)

    I already have USA vpn account..

    I dont want to provide vpn service..

    I want to buy and enjoy one..

  12. Gakealtewly
    February 6th, 2009 on 04:40

    Your site displays incorrectly in Firefox, but content excellent! Thank you for your wise words =)

  13. Kukuruzman
    February 6th, 2009 on 07:09

    @Thiscecyfef
    To add kukuruzman.com to your RSS reader press “RSS” button in the right corner on top of the page, then choose application you want to use for RSS feeds and press “Subscribe Now” button.

    @Gakealtewly
    You are welcome. What exactly is displayed incorrectly in Firefox ?

  14. fima
    March 21st, 2009 on 16:35

    Хде креатив? Шо за моразм? Де ржака, при таком то названии сайта?

  15. Pashko
    March 24th, 2009 on 18:11

    это серьёзный сайт, какая ржака? :)

  16. FIELD
    March 25th, 2009 on 13:48

    Hi, I read your blog from time to time and I own a similar one and I was just wondering if you get a shit load of spam? If so how do you control it, any plugin or something you can suggest? I get so much it’s driving me insane so any help is much appreciated.

  17. Ziestnmot
    July 20th, 2009 on 13:23

    Hey man,

    gr8 website. I have the conficker.ae worm (as detected by my eset antivirus) on my usb device. Even after formatting it several times, it still sits there. I’ve tried running several downadup removal tools after saving them in my usb but even they do not remove it. It still pops up every time I connect it to my computer. Luckily my computer hasnt been infected. But how do I remove it from my USB? I’ve googled a lot but can’t find any solution.

Leave a Reply

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Friends!

Archives

All entries, chronologically...