Windows worm trickery for Vista

The Conficker virus has opened a new can of worms for security experts.

Drives such as USB sticks infected with the virus trick users into installing the worm, according to researchers.

The "Autoplay" function in Vista and early versions of Windows 7 automatically searches for programs on removable drives.

However, the virus hijacks this process, masquerading as a folder to be opened. When clicked, the worm installs itself.

It then attempts to contact one of a number of web servers, from which it could download another program that could take control of the infected computer.

Bad guys

The worm is unusually clever in the way that it determines what server to contact, according to F-Secure's chief research officer Mikko Hypponen.

"It uses a complicated algorithm which changes daily and is based on timestamps from public websites such as Google.com and Baidu.com," said Mr Hypponen in a blog post.

"This makes it impossible and/or impractical for us good guys to shut them all down — most of them are never registered in the first place.

"However, the bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website — and they then gain access to all of the infected machines," he added.

It has also emerged that the virus automatically disables the automatic updates to Windows that would prevent further infection.

As the virus - also known as Downadup - has spread to an estimated 9 million computers globally, a number of high-profile instances of the virus have arisen.

The Ministry of Defence has been battling an outbreak of the virus across its network for more than two weeks, and on Tuesday a network of hospitals across Sheffield told technology website The Register that more than 800 of their computers had been infected.

Users are urged to download the KB958644 Security Update from Microsoft to mitigate the risk of infection.

New variant of the worm

According to Kaspersky Lab's security analyst Eddy Willems said that a new strain of the worm was complicating matters.

"There was a new variant released less than two weeks ago and that's the one causing most of the problems," said Mr Willems

"The replication methods are quite good. It's using multiple mechanisms, including USB sticks, so if someone got an infection from one company and then takes his USB stick to another firm, it could infect that network too. It also downloads lots of content and creating new variants though this mechanism.

"Of course, the real problem is that people haven't patched their software," he added.

Como remover gusano downadup - conficker

Para todos los hispanohablantes, aqui tambien encontraran información sobre como eliminar este peligroso virus que ha alcanzado a un gran numero de computadoras en los ultimos días.

El eliminarlo es sumamente sencillo, solo sigue los siguientes pasos:

1) Descarga la herramienta para eliminar el gusano desde la siguiente direccion: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDownadup.exe.

2) Guarda el archivo en una ubicación conveniente, tal como el escritorio de Windows.

3) Cierra todos los programas que tengas abiertos

4) Si estas conectado a una red, o tienes una conexión permanente a internet, desconecta tu computadora de la red y del internet.

5) Si estas usando Windows Me o XP desactiva la opción de restaurar sistema.

6) Localiza el archivo que acabas de descargar

7) Doble click en el archivo FixDownadup.exe para comenzar a ejecutar la herramienta removedora.

8) Click en comenzar para comenzar con el proceso y luego deja corriendo la herramienta. NOTA: Si tienes algun problema mientras corre la herramiento, o parece que no elimino el gusano, reinicia tu computadora en modo seguro y ejecuta la herramienta de nuevo.

9) Reinicia tu computadora

10) Corre de nuevo la herramienta removedora para que estes seguro de que tu sistema esta limpio.

11) Si estas usando Windows Me o XP vuelve a activar la opción de Restaurar Sistema

12) Si estas conectado a una red o tienes conexion permanente a internet reconecta tu computadora a la red o al internet.

13) Corre LiveUpdate para que estes seguro de que estas usando la version más actual de antivirus.

Espero que estos pasos te sirvan ;)

Manual removal of Downadup - Conficker - Kido

The manual removal of this worm is really easy, just follow those steps:

Manual Removal
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1) Disable System Restore (Windows Me/XP).
2) Update the virus definitions.
3) Run a full system scan.
4) Delete any values added to the registry.

Technical details of worm Downadup - Conficker

Discovered: November 21, 2008

Updated: November 24, 2008 9:37:07 AM

Also Known As: Win32/Conficker.A [Computer Associates], W32/Downadup.A [F-Secure], Conficker.A [Panda Software], Net-Worm.Win32.Kido.bt [Kaspersky]

Type: Worm

Infection Length: 62,976 bytes

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

Once executed, the worm copies itself as the following file: %System%\[RANDOM FILE NAME].dll

Next, the worm deletes any user-created System Restore points.

It creates the following service:
Name: netsvcs
ImagePath: %SystemRoot%\\system32\\svchost.exe -k netsvcs

Then the worm creates the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\"ServiceDll" = "[PathToWorm]"

The worm connects to the following URLs to obtain IP address of the compromised computer:

http://www.getmyip.org
http://getmyip.co.uk
http://checkip.dyndns.org

Next, the worm downloads a file from the following URL and executes it:
[http://]trafficconverter.biz/4vir/antispyware/loada[REMOVED]

The worm then creates a http server on the compromised computer on a random port, for example:
http://[EXTERNAL IP ADDRESS OF INFECTED MACHINE]:[RANDOM PORT]

The worm then sends this URL as part of its payload to remote computers.

Upon successful exploitation, the remote computer will then connect back to this URL and download the worm.

In this way, each exploited computer can spread the worm itself, as opposed to downloading from a predetermined location.

Next, the worm connects to a UPnP router and opens the http port.

It then attempts to locate the network device registered as the Internet gateway on the network and opens the previously mentioned [RANDOM PORT] in order to allow access to the compromised computer from external networks.

The worm then attempts to download a data file from the following URL:
[http://]www.maxmind.com/download/geoip/database/GeoIP.[REMOVED]

The worm spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874).

Next, the worm attempts to contact the following sites to obtain the current date:

http://www.w3.org
http://www.ask.com
http://www.msn.com
http://www.yahoo.com
http://www.google.com
http://www.baidu.com

It uses the date information to generate a list of domain names.

The worm then contacts these domains in an attempt to download additional files onto the compromised computer.

Another remover tool - Symantec removal tool

Now this tool come from Symantec, one of the world liders on security software.

You can download from here:

http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDownadup.exe

W32.Downadup Removal Tool 1.0.3

Check this site where you cand find a removal tool to solve the infection of the Downadup - Conficker worm:

http://www.softpedia.com/get/Antivirus/W32-Downadup-Removal-Tool.shtml

1 of 3 Windows computers are vulnerable to worm

According to Qualys Inc. about 30% of the machines have not yet been patched with the "out of cycle" fix Microsoft provided Oct. 23 as security update MS08-067.

Nearly a third of all Windows systems remain unpatched 80 days after Microsoft rolled out an emergency fix for the Downadup worm.

Based on scans of several hundred thousand customer-owned Windows PCs, Qualys Inc concluded that "The unpatched numbers went down significantly around the 30-day mark," said Wolfgang Kandek, Qualys' chief technology officer, "when less than 50% were unpatched. After that, it went down a little slower. As of yesterday, 30% of the machines are unpatched."

With nearly a third of all Windows systems still vulnerable, it's no surprise that the "Downadup" worm has been able to score such a success, Kandek said. "These slow [corporate] patch cycles are simply not acceptable," he said. "They lead directly to these high-infection rates."

How Conficker - Downadup - Kido works??

This worm works by searching for a Windows executable file called "services.exe" and then becomes part of that code.

It then copies itself into the Windows system folder as a random file of a type known as a "dll". It gives itself a 5-8 character name, such as piftoc.dll, and then modifies the Registry, which lists key Windows settings, to run the infected dll file as a service.

Once the worm is up and running, it creates an HTTP server, resets a machine's System Restore point (making it far harder to recover the infected system) and then downloads files from the hacker's web site

---
So, guys, keep on eye on this virus!!

More than 3 millions infected!!

Acording to different sources, the number of infected computers with the worm Conficker, Downadup, or Kido is now 3.5 millions worldwide, this number is growing in the last hours.

According to F-Secure these are the countries with most infected computers around the world:

China 38,277

Brazil 34,814

Russia 24,526

India 16,497

Ukraine 14,767

Italy 13,115

Argentina 11,675

Korea 11,117

Romania 8,861

United States 3,958

United Kingdom 1,789

Downadup Conficker Virus Info

On this site i will be posting information related to this new virus that has infected more than 1 million of windows computers on the last days