If you ever heard about Microsoft (the maker of Windows and a full bundle of problems attached to it), and if you have already heard about Conficker, or also called Downup, Downadup or Kido, I suppose that you’ve already taken steps on protecting yourself and your friends from this computer worm (or computer virus as some may call it!).

I’m writing this urgent post to warn everyone and help my dear visitors protect themselves and repair their infected computers.

Please spread the word and get people to read this article so you can help and save them! (

Immediately)

Conficker was born in October 2008, and targets Microsoft Windows Operating systems, so if you run Windows on your computer, YOU ARE A TARGET FOR CONFICKER! So, let’s get straight to the point, that is how to know if you’re already infected and how to remove the worm and how to protect yourself from later infections.

Symptomes of infection according to Wikipedia are:

• Account lockout policies being reset automatically.
• Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Error Reporting Services are automatically disabled.
• Domain controllers respond slowly to client requests.
• System network gets unusually congested. This can be checked with network traffic chart on Windows Task Manager.
• On websites related with antivirus software, Windows system updates cannot be accessed.
• Launches a brute force dictionary attack against administrator passwords to help it spread through ADMIN$ shares, making choice of sensible passwords advisable.

The worm spreads through movable drives (USB Flash drives, Memory cards, network drives, shared devices with storage memory and networks (the internet, your office’s LAN, your home’s network…) Conficker uses the Autorun feature (if you can call it a feature!! ) of Windows and a specially crafted RPC query to spread it self. more information and advanced technical details on how the worm operates is available on my other post: Conficker Worm, Advanced Technical Details (Coming Soon)

On the next page(s) I’ll discuss detailed solution to remove the Conficker virus and Patch your computer…

Remove and Patch:

Here’s how I did remove the virus for my friends and patched their computers so they won’t get infected again by this worm!

1 – First of all you need to disable the Autorun “feature” of your computer so that it won’t run CDs, DVDs and USBs automatically.

To do that, Microsoft provides a well describe article that you may read and apply for your Windows. Click : http://support.microsoft.com/kb/967715/ But if you’re already infected, you may not be able to access the Microsoft’s download page to download the required files.
I provide you another workaround which was initally described on US-CERT website :

First, download the autorun_patch.reg file and run it. This file contains the following code and is applied to your Windows Registry:

REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf] @="@SYS:DoesNotExist"

• If you don’t want to download the file, then;

To import the above value to your registry, perform the following steps:

1. Copy the text above
2. Paste the text into Windows Notepad
3. Save the file as "autorun_patch.reg" Note: In certain circumstances, Notepad may automatically add a .txt extension to saved files. To ensure that the file is saved with the proper extension, select All Files in the “Save as type:” section of the “Save As” dialog.
4. Navigate to the file location
5. Double-click on the file to import it into the Windows registry

According to US-CERT website, Microsoft Windows also caches the AutoRun information from mounted devices in the MountPoints2 registry key. It’s recommended restarting Windows after making the registry change so that any cached mount points are reinitialized in a way that ignores the Autorun.inf file. Alternatively, the following registry key may be deleted:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Once these changes have been made, all of the AutoRun code execution scenarios described above will be mitigated because Windows will no longer parse Autorun.inf files to determine which actions to take. Further details are available in the CERT/CC Vulnerability Analysis blog. ^{[ref:US-CERT]}

2 – Disable System Restore:

Steps for Windows XP:

1. 1. Click Start.
   2. Right-click My Computer, and then click Properties.
   3. On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.  If you do not see the System Restore tab, you are not logged on to Windows as an Administrator.
   4. Click Apply.
   5. When you see the confirmation message, click Yes.
   6. Click OK.

3 – Install Microsoft Security Update [KB958644] for your Operating System:

Go to this page and download the right update based on your Windows Operating System version: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx In case you cannot access Microsoft website for any reason, I provide you mirror downloads here on Gibni.com: For Windows XP SP2 and Windows Xp SP3 (English) : [Mirror on Gibni] For Windows Vista and Windows Vista SP1 (English): [Mirror on Gibni] Once downloaded, (open/double click/run/execute) the file and procceed with the installation.

4- Download the Conficker Removal Tool of your choice:

You should download a Removal Tool (listed bellow), then save it to a convenient location like your Windows Desktop.

There are free Conficker Removal tools provided by:

• Microsoft Malicious Software Removal Tool (En) : [Direct Download] or use the [Mirror on Gibni]
• ESET: [Direct Download] or use the [Mirror on Gibni]
• Symantec : [Direct Download] or use the [Mirror on Gibni]
• BitDefender : [Direct Download] or use the [Mirror on Gibni]

5 - Now, the next step is to check your computer for infection and clean it!

1. Once you have the Removal Tool file, (if neseccary save your work and) close ALL programs and running sotftware.
2. Disconnect your computer (PC) by PHYSICALLY disconnecting the network cable or switching OFF the Wi-Fi adapter you have.   (You may need to go to Control Panel>Network Connections then right-click on each network connection available and select “Disable”)
3. Then run (double-click/open/execute call it what you like!) the Conficker Removal Tool you have!
4. Then restart your computer once the Conficker Removal Tool’s job is done.

Follow all the instructions for the conficker removal process. The remaining steps are on the next page(s) …

6 - Install( or update) a good Security solution

I would personally recommend BitDefender Total Security 2009 (http://www.bitdefender.com)

7 - Turn System Restore back ON!

You may want to run the Conficker Removal Tool again to be sure your PC is clean. Keep your Windows and Antivirus UP-TO-DATE!!!! (Check once a month manually at least)

8 – Feel GREAT!

That’s it. Digg this article by using the “ShareThis” button or the Digg It button either below the post, or at the beginning of the post, to help others stay safe. Please spread the word and get people to read this article so you can help and save them! (

Immediately)

You can send it by email to your friends and familly by using the ShareThis button too.

-Read More here:

http://en.wikipedia.org/wiki/Conficker

http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=1

http://www.eset.com/threat-center/blog/?p=511

http://www.bitdefender.com/VIRUS-1000462-en–Win32.Worm.Downadup.Gen.html

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

On October 23, 2008, Microsoft released a critical security update, MS08-067, to resolve a vulnerability in the Server service of Windows that, at the time of release, was facing targeted, limited attack. The vulnerability could allow an anonymous attacker to successfully take full control of a vulnerable system through a network-based attack, the sort of vectors typically associated with network “worms.” Since the release of MS08-067, the Microsoft Malware Protection Center (MMPC) has identified two variants of Win32/Conficker in the wild to date:

• Worm:Win32/Conficker.A: identified by the MMPC on November 21, 2008
• Worm:Win32/Conficker.B: identified by the MMPC on December 29, 2008

(Source: http://technet.microsoft.com/en-us/security/dd452420.aspx )

For detailed “How to remove Conficker worm” instructions, visit this post: How to Remove Conficker (On Gibni)

If you ever heard about Microsoft (the maker of Windows and a full bundle of problems attached to it), and if you have already heard about Conficker, or also called Downup, Downadup or Kido, I suppose that you’ve already taken steps on protecting yourself and your friends from this computer worm (or virus as some may call it!).

On February 12, 2009, Microsoft announced a U.S. $250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet. Microsoft’s reward offer stems from the company’s recognition that the Conficker worm is a criminal attack. Microsoft wants to help the authorities catch the criminals responsible for it. Residents of any country are eligible for the reward, according to the laws of that country, because Internet viruses affect the Internet community worldwide. ( http://technet.microsoft.com/en-us/security/dd452420.aspx )

According to Yahoo Tech news:

“The criminals behind the widespread Conficker worm have released a new version of the malware that could signal a major shift in the way the worm operates.

The new variant, dubbed Conficker B++, was spotted three days ago by SRI International researchers, who published details of the new code on Thursday. To the untrained eye, the new variant looks almost identical to the previous version of the worm, Conficker B. But the B++ variant uses new techniques to download software, giving its creators more flexibility in what they can do with infected machines.

The new B++ variant uses the same algorithm to look for rendezvous points, but it also gives the creators two new techniques that skip them altogether. That means that the Cabal’s most successful technique could be bypassed.”

Also known as Downadup, Conficker spreads using a variety of techniques. It exploits a dangerous Windows bug to attack computers on a local area network, and it can also spread via USB devices such as cameras or storage devices. All variants of Conficker have now infected about 10.5 million computers, according to SRI.

Here’re some statistics according to SRI:  ( http://mtc.sri.com/Conficker/ )

Total IP Addresses: 10,512,451
Total Conficker A  IPs:    4,743,658
Total Conficker B  IPs:     6,767,602
Total Conficker AB IPs:   1,022,062OS Breakdown:
WinNT=0, 2000=163395, WinXP=10189556, 2003 Srv=75361, Vista=82495, Win98=44, Win95=32, WinCE=3, Other=1565Browser Breakdown:
IE5=26,525, IE6=7,494,466, IE7=2,988,039, FireFox=893, Opera=150, Safari=166, Netscape=12

SRI says that China is the most infected country by Conficker, and follow Brazil and Russia.

I’ve noticed that Indonesia, Thailand and India are some of the most infected countries today and people are actively searching about this virus/worm.

To note that more than 9 million computers are infected worldwide till date!

For detailed “How to remove Conficker worm” instructions, visit this post: How to Remove Conficker (On Gibni)