Downadup Conficker Worm

Microsoft offers $250,000 bounty for Conficker creators

2009-04-01T11:21:00.000-07:00

Microsoft has placed at $250,000 (£172,000) bounty on the head of the people behind a computer virus that infected more than 15 million machines.

The worm, known variously as Conficker, Downadup and Kido, burrowed its way into an estimated 15 million computers worldwide, providing hackers, spammers and cybercriminals with a 'back door' into people's machines, and making Windows users vulnerable to identity fraud and ID theft.

The virus takes advantage of a vulnerability in the operating system to burrow deep into the computer's files, folders and System Registry, which stores settings and options for Windows. Once installed, hackers and spammers are able to remotely download more malicious programs to the computer, or even use the worm to help install software that will enable them to track and steal security information, such as banking logins or credit card information.

The software company is offering a reward for information that leads to the capture and conviction of the virus authors, because it views the worm as a criminal attack.

"This development shouldn't surprise anyone," said Graham Cluley, a senior technology consultant for anti-virus firm Sophos. "Microsoft's reputation is badly shaken whenever a computer virus causes widespread problems for its users.

"Offering substantial rewards can do no harm. If a culprit isn't found then Microsoft hasn't lost anything, and it may just entice some members of the computer underground to come forward with information. People considering releasing malware in the future should take careful note of this and think again."

It's not the first time Microsoft has offered a reward for information leading to the capture of a cybercriminal. In November 2003, it slapped a $500,000 bounty on the authors of the Blaster and Sobig worms, and in May 2004, it paid $250,000 to a group of informants who enabled the prosecution of Sven Jaschan, the German teenager of the Sasser and Netsky viruses.

"The big question is whether the Conficker bounty is big enough," said Cluley. "$250,000 may have been enough to identify Sven Jaschan, a German teenager infecting computers for kicks.

"But is it going to be enough to encourage someone to inform on an organised criminal gang, making large amounts of money out of malware?"

Windows worm trickery for Vista

2009-01-21T20:49:00.000-08:00

The Conficker virus has opened a new can of worms for security experts.

Drives such as USB sticks infected with the virus trick users into installing the worm, according to researchers.

The "Autoplay" function in Vista and early versions of Windows 7 automatically searches for programs on removable drives.

However, the virus hijacks this process, masquerading as a folder to be opened. When clicked, the worm installs itself.

It then attempts to contact one of a number of web servers, from which it could download another program that could take control of the infected computer.

Bad guys

The worm is unusually clever in the way that it determines what server to contact, according to F-Secure's chief research officer Mikko Hypponen.

"It uses a complicated algorithm which changes daily and is based on timestamps from public websites such as Google.com and Baidu.com," said Mr Hypponen in a blog post.

"This makes it impossible and/or impractical for us good guys to shut them all down — most of them are never registered in the first place.

"However, the bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website — and they then gain access to all of the infected machines," he added.

It has also emerged that the virus automatically disables the automatic updates to Windows that would prevent further infection.

As the virus - also known as Downadup - has spread to an estimated 9 million computers globally, a number of high-profile instances of the virus have arisen.

The Ministry of Defence has been battling an outbreak of the virus across its network for more than two weeks, and on Tuesday a network of hospitals across Sheffield told technology website The Register that more than 800 of their computers had been infected.

Users are urged to download the KB958644 Security Update from Microsoft to mitigate the risk of infection.

New variant of the worm

2009-01-21T20:47:00.000-08:00

According to Kaspersky Lab's security analyst Eddy Willems said that a new strain of the worm was complicating matters.

"There was a new variant released less than two weeks ago and that's the one causing most of the problems," said Mr Willems

"The replication methods are quite good. It's using multiple mechanisms, including USB sticks, so if someone got an infection from one company and then takes his USB stick to another firm, it could infect that network too. It also downloads lots of content and creating new variants though this mechanism.

"Of course, the real problem is that people haven't patched their software," he added.

Como remover gusano downadup - conficker

2009-01-16T21:43:00.001-08:00

Para todos los hispanohablantes, aqui tambien encontraran información sobre como eliminar este peligroso virus que ha alcanzado a un gran numero de computadoras en los ultimos días.

El eliminarlo es sumamente sencillo, solo sigue los siguientes pasos:

1) Descarga la herramienta para eliminar el gusano desde la siguiente direccion: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDownadup.exe .

2) Guarda el archivo en una ubicación conveniente, tal como el escritorio de Windows.

3) Cierra todos los programas que tengas abiertos

4) Si estas conectado a una red, o tienes una conexión permanente a internet, desconecta tu computadora de la red y del internet.

5) Si estas usando Windows Me o XP desactiva la opción de restaurar sistema.

6) Localiza el archivo que acabas de descargar

7) Doble click en el archivo FixDownadup.exe para comenzar a ejecutar la herramienta removedora.

8) Click en comenzar para comenzar con el proceso y luego deja corriendo la herramienta. NOTA: Si tienes algun problema mientras corre la herramiento, o parece que no elimino el gusano, reinicia tu computadora en modo seguro y ejecuta la herramienta de nuevo.

9) Reinicia tu computadora

10) Corre de nuevo la herramienta removedora para que estes seguro de que tu sistema esta limpio.

11) Si estas usando Windows Me o XP vuelve a activar la opción de Restaurar Sistema

12) Si estas conectado a una red o tienes conexion permanente a internet reconecta tu computadora a la red o al internet.

13) Corre LiveUpdate para que estes seguro de que estas usando la version más actual de antivirus.

Espero que estos pasos te sirvan ;)

Manual removal of Downadup - Conficker - Kido

2009-01-16T21:23:00.000-08:00

The manual removal of this worm is really easy, just follow those steps:

Manual Removal
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1) Disable System Restore (Windows Me/XP).
2) Update the virus definitions.
3) Run a full system scan.
4) Delete any values added to the registry.

Technical details of worm Downadup - Conficker

2009-01-16T21:15:00.000-08:00

Discovered: November 21, 2008

Updated: November 24, 2008 9:37:07 AM

Also Known As: Win32/Conficker.A [Computer Associates], W32/Downadup.A [F-Secure], Conficker.A [Panda Software], Net-Worm.Win32.Kido.bt [Kaspersky]

Type: Worm

Infection Length: 62,976 bytes

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

Once executed, the worm copies itself as the following file: %System%\[RANDOM FILE NAME].dll

Next, the worm deletes any user-created System Restore points.

It creates the following service:
Name: netsvcs
ImagePath: %SystemRoot%\\system32\\svchost.exe -k netsvcs

Then the worm creates the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\"ServiceDll" = "[PathToWorm]"

The worm connects to the following URLs to obtain IP address of the compromised computer:

http://www.getmyip.org
http://getmyip.co.uk
http://checkip.dyndns.org

Next, the worm downloads a file from the following URL and executes it:
[http://]trafficconverter.biz/4vir/antispyware/loada[REMOVED]

The worm then creates a http server on the compromised computer on a random port, for example:
http://[EXTERNAL IP ADDRESS OF INFECTED MACHINE]:[RANDOM PORT]

The worm then sends this URL as part of its payload to remote computers.

Upon successful exploitation, the remote computer will then connect back to this URL and download the worm.

In this way, each exploited computer can spread the worm itself, as opposed to downloading from a predetermined location.

Next, the worm connects to a UPnP router and opens the http port.

It then attempts to locate the network device registered as the Internet gateway on the network and opens the previously mentioned [RANDOM PORT] in order to allow access to the compromised computer from external networks.

The worm then attempts to download a data file from the following URL:
[http://]www.maxmind.com/download/geoip/database/GeoIP.[REMOVED]

The worm spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874).

Next, the worm attempts to contact the following sites to obtain the current date:

http://www.w3.org
http://www.ask.com
http://www.msn.com
http://www.yahoo.com
http://www.google.com
http://www.baidu.com

It uses the date information to generate a list of domain names.

The worm then contacts these domains in an attempt to download additional files onto the compromised computer.

Another remover tool - Symantec removal tool

2009-01-16T21:10:00.000-08:00

Now this tool come from Symantec, one of the world liders on security software.

You can download from here:

http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDownadup.exe

W32.Downadup Removal Tool 1.0.3

2009-01-16T21:04:00.000-08:00

Check this site where you cand find a removal tool to solve the infection of the Downadup - Conficker worm:

http://www.softpedia.com/get/Antivirus/W32-Downadup-Removal-Tool.shtml

1 of 3 Windows computers are vulnerable to worm

2009-01-16T20:39:00.000-08:00

According to Qualys Inc. about 30% of the machines have not yet been patched with the "out of cycle" fix Microsoft provided Oct. 23 as security update MS08-067.

Nearly a third of all Windows systems remain unpatched 80 days after Microsoft rolled out an emergency fix for the Downadup worm.

Based on scans of several hundred thousand customer-owned Windows PCs, Qualys Inc concluded that "The unpatched numbers went down significantly around the 30-day mark," said Wolfgang Kandek, Qualys' chief technology officer, "when less than 50% were unpatched. After that, it went down a little slower. As of yesterday, 30% of the machines are unpatched."

With nearly a third of all Windows systems still vulnerable, it's no surprise that the "Downadup" worm has been able to score such a success, Kandek said. "These slow [corporate] patch cycles are simply not acceptable," he said. "They lead directly to these high-infection rates."

How Conficker - Downadup - Kido works??

2009-01-16T20:33:00.000-08:00

This worm works by searching for a Windows executable file called "services.exe" and then becomes part of that code.

It then copies itself into the Windows system folder as a random file of a type known as a "dll". It gives itself a 5-8 character name, such as piftoc.dll, and then modifies the Registry, which lists key Windows settings, to run the infected dll file as a service.

Once the worm is up and running, it creates an HTTP server, resets a machine's System Restore point (making it far harder to recover the infected system) and then downloads files from the hacker's web site

---
So, guys, keep on eye on this virus!!

More than 3 millions infected!!

2009-01-16T20:17:00.000-08:00

Acording to different sources, the number of infected computers with the worm Conficker, Downadup, or Kido is now 3.5 millions worldwide, this number is growing in the last hours.

According to F-Secure these are the countries with most infected computers around the world:

China 38,277

Brazil 34,814

Russia 24,526

India 16,497

Ukraine 14,767

Italy 13,115

Argentina 11,675

Korea 11,117

Romania 8,861

United States 3,958

United Kingdom 1,789

Downadup Conficker Virus Info

2009-01-16T20:13:00.001-08:00

On this site i will be posting information related to this new virus that has infected more than 1 million of windows computers on the last days