Conficker Worm

Categories
- Broadband
- General
- How To
- IT
- Product Support
- Ubuntu
- Windows 7
Notices
- Very informative important please watch http://t.co/q1ZJJRfG
- Fireman Sam, The hero next door. http://t.co/W5VMwNw5
- Google gets driverless licence http://t.co/3ELSsaw2
- Raining again anyone got a spare dingy ?
- Cavendish does it again Giro ditalia got very interesting in the last kilometer .
Meta
Download TeamViewer
Pay Now Via Paypal

Support Services
Thomas Purcell

Create Your Badge
Blogroll
- Horizon Financial Services

Conficker Worm

Written by admin
June 10th, 2009

Conficker worm, sometimes called Downadup or Kido, has managed to infect a large number of computers. Specifics are hard to come by, but some researchers estimate that millions of computers have been infected with this threat since January. Systems with Symantec Endpoint Protection or Symantec AntiVirus are protected, since these products will detect and remove this worm. Users who lack protection are invited to download a trial version of Symantec Endpoint Protection. Symantec recommends using Network Threat Protection along with antivirus scanning in Symantec Endpoint Protection to proactively prevent the threat from being downloaded to a system.

New variant, Downadup.E, found in the wild
This new variant was found in the wild on April 8th, 2009. Detection was added in Rapid Release definitions with a sequence number of 93981 (April 8, 2009 rev. 25) as W32.Downadup. Security Response gave this variant its own detection starting in Rapid Release sequence 94023 (April 9, 2009 rev. 9). Our initial analysis showed this variant functions similiarly to the original W32.Downadup variant. As noted in our blog, this new variant appears to be dropping W32.Waledac. Detection for this W32.Waledac sample was added in Rapid Release definitions with a sequence number of 93978 (April 8, 2009 rev. 22) For more information on this threat’s functionality, see the Security Response write-up on W32.Downadup.E.

Downadup.C and April 1st
This new variant of the threat is specifically used to enhance the capabilities of previously infected machines. Computers which remain infected with a previous variant of the W32.Downadup family will download a copy of W32.Downadup.C to enhance the capability of the existing threat. Further details on the operation of earlier versions of the Downadup family are provided below in this document.

Some of the notable features of Downadup.C:
Increased command and control domain possibilities. The original variants of W32.Downadup(.B) check 250 domains per day for any new payload from the controller. The new variant now contains an updated algorithm where each Downadup.C infection will check 500 random domains per day out of a total of 50,000 possible random domains. This makes it more difficut for security companies to monitor all of the domains. At the same time, it also will presumably make it more difficult for the attacker to distribute further “attack instructions” to existing Downadup.C infections, since it won’t be practical for the attacker to post attack code on all 50,000 sites. Downadup.C infections will not begin contacting these Web sites until April 1, 2009.

Introduces new anti-detection measures. The new variant of the threat includes a list of strings which it searches for in running processes. It kills these processes if it finds a match. The strings are a method of stopping antivirus process, as well as debugging tools. Examples of strings that it searches for include “wireshark,” “confick,” “downad,” “ms08-06,” and “kb958.”
The previous versions of Downadup can spread in 3 different ways:

Categories: IT

Comments are closed.

Purconn

Categories

Notices

Meta

Pay Now Via Paypal

Blogroll

Conficker Worm