Posts Tagged “anti-virus”

Mar 28 2009

Remove Conficker/Downadup/Kido worm virus before April 1, 2009

Posted by: Ryman in Security

Updated: March 31, 2009
Added domain keywords & manual download of patches for Windows XP and Vista

The Conficker worm virus is spreading around the internet, and it’s ability to spread via network makes it much faster and harder to remove completely. I first encountered the virus on a friend’s laptop, which infected another friend’s digital camera via USB. I also encountered this at the computers at the office. Incidentally as of this post, only two computers at the office within the network was not affected, mine (Windows XP SP3) and one of my officemate who is using Open Suse (Linux). I wasn’t going to post this, but then I got a news alert from one of my feeds, and it seems it already has infected 9 – 15 million computers around the world.

Conficker, also known as Downup, Downadup and Kido, is a computer worm that surfaced in October 2008 and targets the Microsoft Windows operating system. The worm exploits a known vulnerability in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 7 Beta. The latest variant will begin checking for a payload to download on April 1, 2009. [wiki]

The news report I got was from CNN regarding the Conficker C computer worm which is expected to activate on April Fool’s Day (April 1, 2009).

Those infections haven’t spawned many symptoms, but on April 1 a master computer is scheduled to gain control of these zombie machines, said Don DeBolt, director of threat research for CA, a New York-based IT and software company.

The program could delete all of the files on a person’s computer, use zombie PCs — those controlled by a master — to overwhelm and shut down Web sites or monitor a person’s keyboard strokes to collect private information like passwords or bank account information, experts said.

The Tech Herald is on the same note regarding the Conficker.

“This worm, detected as Win32/Conficker.C, is getting ready for April Fool’s Day on 1 April, although it definitely won’t be fooling around. On that day, Conficker.C will commence its attempt to generate 50,000 URLs daily and try to access (download or report back to) 500 of them. It is a clever strategy, but the security industry is certainly on the lookout.”

Conficker A was reportedly released around November 2008. While Conficker B evolved around January 2009. Conficker C is the latest version of this worm which most systems now are already affected, and is said to activate on April 1, 2009.

I have already posted a similar topic a couple of days ago titled “How to remove the jwgkvsq.vmx worm virus” which was when I started to notice the virus in our network, it was the Conficker worm. I dismissed it as an ordinary virus. But it seems that it has been spreading around a lot lately. Now its security level is ‘highly dangerous’.

Symptoms to check if your computer is infected with this:

  • Show all hidden files and folders are not working
  • Can’t access anti-virus websites like: Bitdefender.com Symantec.com, and patch sites like Microsoft.
  • The existence of a file named: jwgkvsq.vmx inside the RECYCLED folder.
  • Creates autorun.inf files on USB devices plugged in an infected machine. Also other viruses does this.
  • Account lockout policies being reset automatically.
  • Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Error Reporting Services are automatically disabled.
  • Domain controllers respond slowly to client requests.
  • System network gets unusually congested. This can be checked with network traffic chart on Windows Task Manager.
  • Launches a brute force dictionary attack against administrator passwords to help it spread through ADMIN$ shares, making choice of sensible passwords advisable.

Remove the virus:

Some of the well-known security companies came up with tools for removing the Conficker/Downandup worm virus. Removal tools can be freely downloaded from any of the following security sites:

How to remove the Conficker/Downandup worm virus?

  1. Download Conficker/Downandup removal tools from the given sites above.
  2. Disconnect from the internet, and remove any network cables at the back of your PC/laptop, and also remove any plugged-in USB devices.
  3. Login as Administrator on your computer, or any account that has administrator privileges.
  4. Run the removal tool. My recommendation is to use the removal tools from BitDefender (quick scan) and Symantec (thorough scan). But if you are not content, just run all the removal tools for greater detection.Simple-case: The removal tool will detect and remove the Conficker worm and ‘may’ require that you restart your computer.
    Extreme-case: The removal tool won’t run because the virus is preventing it from running. Quick solution:

    1. Open task manager (CTRL+ATL+DEL)
    2. Terminate (End) the process with these names: explorer.exe and svchost.exe
    3. A countdown timer will appear requiring you to restart your computer. DO NOT DO ANYTHING AT THIS POINT EXCEPT… Immediately run the BitDefender Tool (quick scan) so that it will remove the virus before your computer restarts.
    4. If the tool won’t still run, ‘end process’ all the svchost.exe and try running the removal tool again.

It only affects Windows system that aren’t patched with the latest update. Run autoupdate and patch your Windows. It is critical that these patches be installed:

Microsoft Security Bulletin MS08-067 – Critical
Vulnerability in Server Service Could Allow Remote Code Execution (958644)
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx (download for XP)

Microsoft Security Bulletin MS08-068 – Important
Vulnerability in SMB Could Allow Remote Code Execution (957097)
http://www.microsoft.com/technet/security/bulletin/ms08-068.mspx (download for XP)

Microsoft Security Bulletin MS09-001 – Critical
Vulnerabilities in SMB Could Allow Remote Code Execution (958687)
http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx (download for XP)

For manual download of patches for Windows XP and Vista go to http://www.softwarepatch.com/windows/

TAKE NOTE:

The virus spreads via network, so plugging your computer/laptop again through the network the virus may infect it if your software isn’t patched.

The virus also spreads via autorun.inf on USB devices, plugging an infected USB device may infect your computer.

For questions regarding the removal of this virus and other inquiries regarding the topic feel free to leave a comment, and I’ll get back to you.

Extra resources you may find useful:
Removing Downadup and Repairing [downadup.com]

If your computer is infected, you won’t be able to visit sites (error timed out) with these keywords on their domain name:
Read the rest of this entry »

Tags: anti-malware, anti-virus, Conficker, Downadup, removal, virus, worm

Comments 5 Comments »