Microsoft Windows Virus - April 1st attack

[Philly Phanboy]

Just a notice to everybody to check that your anti-virus software is working and up to date so when April 1st rolls around you won't get nailed with the Conficker Worm.

The Conficker Worm: April Fool’s Joke or Unthinkable Disaster?
By John Markoff

The Conficker worm is scheduled to activate on April 1, and the unanswered question is: Will it prove to be the world’s biggest April Fool’s joke or is it the information age equivalent of Herman Kahn’s legendary 1962 treatise about nuclear war, “Thinking About the Unthinkable”?

Conficker is a program that is spread by exploiting several weaknesses in Microsoft’s Windows operating system. Various versions of the software have spread widely around the globe since October, mostly outside the United States because there are more computers overseas running unpatched, pirated Windows. (The program does not infect Macintosh or Linux-based computers.)

An estimated 12 million or more machines have been infected. However, many have also been disinfected, so a precise census is difficult to obtain.

It is possible to detect and remove Conficker using commercial antivirus tools offered by many companies. However, the most recent version of the program has a significantly improved capacity to remove commercial antivirus software and to turn off Microsoft’s security update service. It can also block communications with Web services provided by security companies to update their products. It even systematically opens holes in firewalls in an effort to improve its communication with other infected computers.

Given the sophisticated nature of the worm, the question remains: What is the purpose of Conficker, which could possibly become the world’s most powerful parallel computer on April 1? That is when the worm will generate 50,000 domain names and systematically try to communicate with each one. The authors then only need to register one of the domain names in order to take control of the millions of zombie computers that have been created.

Speculation about Conficker’s purpose ranges from the benign — an April Fool’s Day prank — to far darker notions. One likely possibility is that the program will be used in the “rent-a-computer-crook” business, something that has been tried previously by the computer underground. Just like Amazon.com offers computing time on its network for rent, the Conficker team might rent access to its “network” for nefarious purposes like spamming.

The most intriguing clue about the purpose of Conficker lies in the intricate design of the peer-to-peer logic of the latest version of the program, which security researchers are still trying to completely decode.

According to a research addendum to be added Thursday to an earlier paper by researchers at SRI International, in the Conficker C version of the program, the infected computers can act both as clients and servers and share files in both directions. The peer-to-peer design is also highly distributed, making it more difficult for security teams to defeat the system by disabling so-called super-nodes.

Conficker’s authors could be planning to create a scheme like Freenet, the peer-to-peer system that was intended to make Internet censorship of documents impossible.

Or perhaps the Conficker botnet’s masters have something more Machiavellian in mind. One researcher, Stefan Savage, a computer scientist at the University of California at San Diego, has suggested the idea of a “Dark Google.” What if Conficker is intended to give the computer underworld the ability to search for data on all the infected computers around the globe and then sell the answers? Malware already does this on a focused basis using a variety of schemes that are referred to as “spear phishing,” in a reference to the widespread use of social engineering tricks on the Net.

But to do something like that on a huge scale? That would be a dragnet — and a genuine horror story

link

 

[Malice]

Greetings all.

I want ALL users of the Windows Operating System to do something before April 1st. On April, a virus (worm to be named correctly) will actually get out to the internet and then download a payload...this is usually not good.

I want you all to be secure.

I want EVERYONE who is not sure if they are safe, to go HERE

use the like in the section that looks like this:
F-Downadup
Specific tool with heuristics for Downadup worm variants:

• ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip

Unzip it to your desktop and then run it.
This is a program to simply scan ONLY for the Conficker worm.

I want all my brothers and sisters to be safe here.

Please do this, because the unknown nature of the payload could really be nasty if too many people are still infected.

Malice

 

[Mister J]

Good looking out, Mal.

edit: Philly too.

 

[Malice]

Phanboy beat me to it...I was going to do it once I got home...and here it is...
Phanboy I am giving you credit for starting it.....I am taking it to the next level by putting an announcement out on it.

 

[the_ultimate_evil]

ahh for gods sake, will have to check for this, seriously why

 

[[A]]

Clean.

thanks for the heads-up

 

[Spider-ManHero12]

Hmm, the link is dead.

 

[[A]]

already ?!

 

[the_ultimate_evil]

ok call me daft but when i looked up The Conficker Worm it said it was also known as downadup, which is in the name of the programme in the link provided.

whats with the multiple names

 

[Keyser Soze]

In all honesty, I'm worried about using this file. I don't know where to start, I thought it would be simple as click and run, but then it's all this "copy this program to a local hard disk then run through the JAR-packed F-Secure policy manager and prepare for an automatic reboot."

.....what?

This stuff just flies over my head and makes me want to ball up into the foetal position. And doesn't a reboot involve totally wiping everything on your computer? That means I'll have to do a lot of backing up, which could take until April 1st in itself. And with this old-school program that's all about entering codes in command lines and warning that one wrong move could totally screw your computer, I'm worried about doing serious damage to my computer in trying to "fix" it.

 

[Asteroid-Man]

I don't have a virus protection anymore cause I know how to fend them off manually. Thanks for the heads up though, I'm clean.

 

[Shemtov]

What exactly will the Conficker do too an infected Computer?

 

[Malice]

What exactly will the Conficker do too an infected Computer?

Technically we dont know.
On April 1st, the worm is set to go out online, and get what we call a payload.
This is code for something that the virus is trying to do.

It could do something like change your home page to a porn site or something MUCH worse...

Dont take a chance, you can scan your machine while still using it.

 

[Malice]

In all honesty, I'm worried about using this file. I don't know where to start, I thought it would be simple as click and run, but then it's all this "copy this program to a local hard disk then run through the JAR-packed F-Secure policy manager and prepare for an automatic reboot."

.....what?

This stuff just flies over my head and makes me want to ball up into the foetal position. And doesn't a reboot involve totally wiping everything on your computer? That means I'll have to do a lot of backing up, which could take until April 1st in itself. And with this old-school program that's all about entering codes in command lines and warning that one wrong move could totally screw your computer, I'm worried about doing serious damage to my computer in trying to "fix" it.

That is always a risk, I know, I am IT Security and work with this all the time.
This is a command line tool, but you don't need to enter anything, it just runs....

To avoid something like this, I suggest copying data to a portable drive just in case.

 

[Malice]

Viruses are named by the AntiVirus vendors...its confusing...
But they usually have 2 or 3 names....

* Win32/Conficker.A (CA)
* W32.Downadup (Symantec)
* W32/Downadup.A (F-Secure)
* Conficker.A (Panda)
* Net-Worm.Win32.Kido.bt (Kaspersky)
* W32/Conficker.worm (McAfee)
* Win32.Worm.Downadup.Gen (BitDefender)

As you can see, some are similar...some are not.

 

[Keyser Soze]

That is always a risk, I know, I am IT Security and work with this all the time.
This is a command line tool, but you don't need to enter anything, it just runs....

To avoid something like this, I suggest copying data to a portable drive just in case.

But doesn't it say you need to enter disinfect in the command line or something to do an alternate version of the scan which actually removes the threat?

 

[SuperFerret]

So, I'm pretty much screwed then. Wonderful, this is just what I need.

 

[Hunter Rider]

I'm confused, I did as instructed and it said everything was clean, I didn't get the stuff Keyser is getting.

And how can you know in advance a virus is coming with an actual "release date" ? why doesn't someone stop the ******* doing it ?

 

[Chewy]

But doesn't it say you need to enter disinfect in the command line or something to do an alternate version of the scan which actually removes the threat?

You can just run it once first to see if you have anything that it can disinfect. If it tells you your system's not clean, then you need to worry about the disinfection.

I'm confused, I did as instructed and it said everything was clean, I didn't get the stuff Keyser is getting.

I think he's reading the readme and/or the site (which has the same text as the readme)

 

[Keyser Soze]

Its 1am here. I'll do this in the morning, as between the backing up stuff - and figuring out how the hell I'm supposed to run the thing.... I'm guessing this will take a while.

Why isn't just clicking on the thing and letting it run enough? All this "copy to local hard disk and run via the JAR-packed policy manager" talk just makes my eyes cross.

 

[Shemtov]

My computers Conficker-free!
I'll run the program a few minutes too midnight March 31, just to be safe, since I'm ALWAYS downloading something.

 

[SuperFerret]

I have an antiviris program that updates every other day or so, is that good?

 

[Malice]

Its 1am here. I'll do this in the morning, as between the backing up stuff - and figuring out how the hell I'm supposed to run the thing.... I'm guessing this will take a while.

Why isn't just clicking on the thing and letting it run enough? All this "copy to local hard disk and run via the JAR-packed policy manager" talk just makes my eyes cross.

what are you clicking on?
the ZIP file have an executable that runs that has no need to type anything at all......

 

[[A]]

yeah, and it takes like 2 minutes

 

[Van Petrol]

Thanks for the heads up guys.