[harrywaldron]

The Conficker worm is one of the most dangerous malware threats in years, especially for corporate users. A new "C" variant has been developed that's even more potent and stealthier than the two prior variants. It's imperative that Microsoft's MS08-067 patch be applied to all servers and workstations, while the worm is currently dormant.

If it establishes a foothold anywhere in the network, it can even spread to systems that are patched with the MS08-067, if they are insecure in other areas, (i.e., it uses multiple attack methods).

Please take precautions now, as this one will be even more difficult than "B" was to clean.

Conficker.C Worm - Major Attack targeted for April Fools Day
http://techfragments..._to_Spread.html
http://arstechnica.c...-activation.ars
http://www.maximumpc...april_fools_day
http://news.cnet.com...0196122-83.html
http://www.ca.com/us...s.aspx?id=77976

QUOTE: Just when you might have thought it was safe to start using USB flash drives at work again, the third, and by all accounts, most fiendish version of the Conficker worm that's infected millions of PCs already is set to attack on April 1st, Ars Technica reports. Conficker.C's designed to hide itself even more thoroughly than its older siblings Conficker.A and Conficker.B, using tricks such as:

• Inserting itself into as many as five Windows-related folders such as System, Movie Maker, Internet Explorer, and others (under a random name, of course)
• Creating access control entries and locking the file(s)
• Registers dummy services using a "one (name) from column A, one from column B, and two from column C" method
To find out what happens when Conficker.C strikes, join us after the jump.

Conficker.C's payload makes it harder than ever to recover from being infected:

• Deactivates Windows Security Center notifications
• Prevents restart in Safe Mode
• Prevents Windows Defender from running at system startup
• Deletes all system restore points
• Disables various error-reporting and security services
• Terminates over twenty security-related processes
• Blocks DNS queries
• Blocks access to security and antivirus websites
• And, to top it all off, Conficker.C can choose from a list of 500 domains to contact out of a pool of 50,000 (way up from Conficker.B's 32 out of 250).

Conficker.C - Detailed Evaluation by SRI
http://mtc.sri.com/C...cker/addendumC/

QUOTE: Variant C represents the third major revision of the Conficker malware family, which first appeared on the Internet on 20 November 2008. C distinguishes itself as a significant revision to Conficker B. In fact, we estimate that C leaves as little as 15% of the original B code base untouched

Below are some resources for information and cleaning tools for the Conficker worm:

Conficker - Cleaning tips for corporate users
http://msmvps.com/bl...rate-users.aspx

Internet Storm Center - Conficker Resource Center
http://isc.sans.org/...ml?storyid=5860

Microsoft Resources
http://support.microsoft.com/kb/962007
http://www.microsoft...n/ms08-067.mspx

[Donna]

Thanks, Harry for another alert! Also for the handy links in handling it

[seti]

Thank you for the warning and the detail etc, it helps us all to be aware and able to precautions

[harrywaldron]

The Internet Storm Center has updated their excellent list of cleaning and informational resources.
ISC - Updated Conficker Resource Center
http://isc.sans.org/...ml?storyid=5860

Also, the "C" version payload is still somewhat unknown. The currently infected PCs and Servers will become a part of an advanced P2P network and could be used to attack other systems.

Conficker.c - April 1st payload still a mystery to researchers
http://www.computerw...ticleId=9130228

Quote

PCs infected with Conficker.c, the third version of the worm that first appeared late last year, will use a new communication scheme on April 1 to establish a link to the command-and-control servers operated by the hackers who seeded the malware. The date is hard-coded into the worm, which in turn polls any of a number of major Web sites, including Yahoo, for the date, said Stewart.

"So far, we haven't seen any evidence [on those machines] of what it will do April 1," added Stewart, although that's to be expected. "It's not April 1 yet, so they're not going to put something online, where it might be found. In fact, it's almost a little risky for us to try to look for those sites, since it might give away that we have some bots in their network." Symantec Corp.'s Vincent Weafer, vice president of the company's security response group, agreed with Stewart that it's impossible to know ahead of time what stunt Conficker's controllers will pull next week. "Nobody has any real idea," said Weafer. "There's no indication of what it will do April 1."

Weafer characterized the Conficker.c update as one to "armor and harden the existing infections," and noted that the variant, unlike its predecessors, cannot spread to other PCs. "This variant is very defensive-oriented," said Weafer, "to make it less visible and more resilient." Like Weafer, Stewart sees Conficker.c as a move by the worm's maker or makers to consolidate what's already infected. "The big question is what's the end game?" he said. "Is it just as big as they want it to get?"

[Donna]

Thanks again, Harry!
Let's hope the anti-malware and anti-virus vendors are always ready and users will not fall into this worm (or other malware).

[Donna]

Questions and Answers: Conficker and April 1st

Q: I heard something really bad is going to happen on the Internet on April 1st! Will it?
A: No, not really.

Q: Seriously, the Conficker worm is going to do something bad on April 1st, right?
A: The Conficker aka Downadup worm is going to change it's operation a bit, but that's unlikely to cause anything visible on April 1st.

Q: So, what will it do on April 1st?
A: So far, Conficker has been polling 250 different domain names every day to download and run an update program. On April 1st, the latest version of Conficker will start to poll 500 out of 50,000 domains a day to do the same thing.

Q: The latest version? There are different versions out there?
A: Yes, and the latest version is not the most common. Most of the infected machines are infected with the B variant, which became widespread in early January. With B variant, nothing happens on April 1st.

Q: I just checked, and my Windows machine is clean. Is something going to happen to me on April 1st?
A: No.

Q: I'm running a Mac, is something going to happen to me?
A: No.

More from http://www.f-secure....s/00001636.html

[Donna]

I've run few minutes ago the Conficker detection tool by ESET, McAfee Stinger, MRT by Microsoft and so far nothing for me to worry.

There’s many information on the internet about Conficker worm. Don’t wait to be infected, run the Conficker Detection/Removal tool. ISC have the list of the said tools:

http://isc.sans.org/...ml?storyid=5860

Patch everything. Make sure the real-time protection of your Firewall and AV is running. Have a back-up (just in case). Be careful on what you do and where you go online.

[harrywaldron]

Conficker - New FAQ on latest developments

F-Secure has a good FAQ providing the latest developments on this Internet worm:

Conficker - New FAQ on latest developments
http://www.f-secure....s/00001647.html

QUOTE: What really happened was that the Conficker Working Group was able to prevent them from registering any of the domains used by the worm. Never before have we seen such a global cooperation within the industry and we're proud to be a member of that group. Also, it would've been pretty stupid for the people behind Conficker to do something on the day everyone expected them to.

[Triple Helix]

Conficker virus begins to attack PCs

http://www.reuters.c...N...ews&sp=true

TH

[Donna]

Triple Helix, on Apr 24 2009, 07:38 PM, said:

Conficker virus begins to attack PCs

http://www.reuters.c...N...ews&sp=true

TH

Quote

"This is probably one of the most sophisticated botnets on the planet. The guys behind this are very professional. They absolutely know what they are doing," said Paul Ferguson, a senior researcher with Trend Micro Inc, the world's third-largest security software maker.

In short... they mean business. Using malware to infect, scam users.

[gery]

Triple Helix, on Apr 25 2009, 03:38 AM, said:

Conficker virus begins to attack PCs

http://www.reuters.c...N...ews&sp=true

TH

IS THERE A REAL TOOL FOR THIS CONFICKER