Conflicker Worm is here!

Yes folks, it looks like the worm is very active again.
Please take the time to protect yourself and your data. A few minutes of safety can save hours or days of frustration and money.

The worm started spreading late last year, infecting millions of computers and turning them into “slaves” that respond to commands sent from a remote server that effectively controls an army of computers known as a botnet.

The Worm is quietly turning personal computers into servers of e-mail spam, flooding users with malicious emails that in turn can spread the worm again.
It is loading more malicious software onto computers under their (botnet creators) control.
According to Russian-based security researcher Kaspersky Lab.
“Conficker installs a second virus, known as Waledac, that sends out e-mail spam without knowledge of the PC’s owner, along with a fake anti-spyware program.
The Waledac virus recruits the PCs into a second botnet that has existed for several years and specializes in distributing e-mail spam.
Conficker also carries a third virus that warns users their PCs are infected and offers them a fake anti-virus program, Spyware Protect 2009 for $49.95.
If they buy it, their credit card information is stolen and the virus downloads even more malicious software.”

Please don’t be one of those who get scammed, lose control of their system or lose their data altogether.

Microsoft has some good resources here:
http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

And offers a great free scan that I recommend here:
http://onecare.live.com/site/en-us/default.htm

For further steps you can take read my two previous posts:
http://mycraniumdrain.blogspot.com/2009/03/conflicker-protection.html

http://mycraniumdrain.blogspot.com/2009/03/more-conflicker-check-for-infection.html

Peace and safe computing

MORE CONFLICKER – CHECK FOR INFECTION

CONFLICKER UPDATE:

Symantec’s got a pretty simple (and free) tool specifically for Conficker:
Download this file on an uninfected computer, follow the steps, and you should be okay.

Or.

Doxpara Research has release a ‘scanner’ to check for conflicker infection.

Security expert Dan Kaminsky, working with the Honeynet Project’s Tillmann Werner and Felix Leder, have discovered an easier way to detect if a machine on a network is infected by Conflicker.
Dan writes:”What we’ve found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it’s infected with Conficker, and it will tell you.

Go here:
http://www.doxpara.com/
download the scanner:
http://www.doxpara.com/scs.zip
Extract to folder and run it against your workstaions and servers:
Open command window – Start>run>type ‘cmd’

Navigate to the exanded directory and ‘run’ the scanner on each individual computer.
Example:
C:\ yourdesktop \scs\scs>scs.exe 192.168.31.2
[For the admins out you can use a host file for a range of IPs]

If you are unsure of how to find your IP address.
Open up command windows – – Start>run>type ‘cmd’ then type in “ipconfig /all”
[If you don’t know how to navigate in the DOS window check this out:
http://www.online-tech-tips.com/computer-tips/how-to-use-dos-command-prompt/ ]

Update – Another way to scan:
1. Download and install Python 2.6.1: [www.python.org] [python.org]
2. Download Impacket from [oss.coresecurity.com] [coresecurity.com] (or maybe [pypi.zestsoftware.nl] [zestsoftware.nl] or some other mirror)
3. Download the scanner from [iv.cs.uni-bonn.de] [uni-bonn.de]
4. Unpack Impacket into a folder, then install Impacket from a command line with c:\python26\python setup.py install
5. Run the scanner with the command c:\python26\python scs.py [starting_ip] [ending_ip]

Let’s Kill Some Spyware!!

I recently had to help some people remove some serious spyware/malware/virii.
No normally if I can’t ‘kill’ the bad stuff fairly quickly. I will simply get the persons ‘data’ – documents, pics, music etc. – off the machine and then delete the partitions. wipe the drives, re-format and re-install the operatiing system clean.
But sometimes in a business situation this is not always possible.
Or sometimes all the needed applications are not available for ‘re-install’
For this you must try and ‘save’ your system without the ‘nuclear option’.
So here is one of the best methods I use on a ‘running’ active system.
Read all the instructions and download ALL of the suggested applications from a ‘non-infected’ machine 1st.
Then place them on a portable drive – usb or a directory on the infected system [c:\killmalwareapps or something]
Ok let’s start.
1st on the infected machine delete the ‘hosts’ and ‘lmhost’ files.
They will be located in the c:\windows\system32\drivers\etc folder.
[Possibly c:\winnt\system32\drivers\etc]
First try an online scan from Trend Micro.
To do this safely – using an ‘external non-infected browser’ you need to run ‘Firefox portable’ off USB drive.
This will allow a ‘clean run’ of a browser for a live malware/spyware scan:
How To:
The article here:
http://firefox-fangirl.livejournal.com/1977.html
explains how to download the latest portable Firefox builds and how to correctly install it as a ‘portable app’ on a separate folder or usb drive. I ‘install’ it to a directory called ‘portablefirefox’ and then I copy that to my USB drive.

Then go to Trend Micro USING THE PORTABLE FIREFOX and run their housecall application and run a scan:
http://housecall65.trendmicro.com/
Make sure you do NOT use any browser installed on the infected system!!!
Use the ‘Firefox Portable’ application to get to the web.

Other tools to have on hand (on your usb drive) before starting.
From Sysinterals
http://technet.microsoft.com/en-us/sysinternals/default.aspx

Get the following apps. Download on clean system and transfer to usb.
Autoruns – Finds all the crap actually loading at startup.
You will finds all kinds of ‘crap’ that shouldn’t be there.
http://download.sysinternals.com/Files/Autoruns.zip
Extract and run this to show EVERYTHING that is loaded at start up.
This includes applications, scripts, drivers, active X controls, dll’s and more.

Process Explorer
http://download.sysinternals.com/Files/ProcessExplorer.zip
This helps find unwanted running strigs and helps in there termination.
Run the application to see every currently running process/application on your system.

You will often need some or all of the following applications to ‘kill’ bad processes.
That is, malicious programs that are running ‘un-authorized’ processes.

unlocker
http://ccollomb.free.fr/unlocker/

wholockme
http://www.dr-hoiby.com/WhoLockMe/

file assassin
http://www.malwarebytes.org/fileassassin.php

A great spyware finder:

spybot s&d;
http://www.safer-networking.org/en/spybotsd/index.html
I install this as my online scan is running (if possible).
Don’t confuse this application with other that are trading on the ‘Spybot’ name and are in and of themselves ACTUALLY spyware. The one and only original FREEWARE application is here.
http://www.spybotupdates.biz/files/spybotsd162.exe

Remember to have all these files already downloaded and copied to your portable drive.

And to assist in cleaning our all ‘temp’ type files:
CCleaner
Especially usefull if there is an ‘unseen’ internet app (ie or firefox) downloading malware in the background continually
I will run this over and over while running spybot scans.

http://www.filehippo.com/download_ccleaner/download/d1565b7fb77b48a3692a199d871845fd/

Anyhow this is just a quick but I think fairly thorough way of cleaning an infected system if you don’t have a ‘Live’ type of utility or rescue disk available such as UBCD (ultimate boot cd), Hiren’s, or a custom Bart PE disk.