April 1 Virus (common name)
Net-Worm.Win32.Kido
Worm:W32/Downadup.gen (F-Secure)
Worm:Win32/Conficker (Microsoft)
Mal/Conficker (Sophos)
W32/Conficker.worm.gen (Symantec)
Classification
Malware - Worm
Distribution Methods
Shared media
Windows browser vulnerability MS08-067
Wireless hotspots
Effects
Timed virus with remote update capability
Most effects unknown
Description
Conficker, commonly referred to as the April 1 virus by the media, is a worm targeting computers running Windows XP and Vista. Symantec estimates that the virus has infected over one million PCs. The virus has been reported as difficult to detect as it does not affect the infected computer. The virus is programmed to "harden" by securing itself on infected computers, disabling Windows and possibly anti-virus software updates, and downloading patches to increase the difficulty of removal on April 1.
Warning
Variants of this worm have been confirmed to disable or prevent the execution of antivirus installation utilities.
Prevention
The vulnerability which enables infection from this worm has been patched by Microsoft. A strong software firewall, an up-to-date installation of anti-virus software and updated operating system should prevent infection from this worm.
Resources
If you have been infected by this worm, or would like additional information about this worm, please see the following references.
- F-Secure - Information and removal instructions
- Symantec - General information and removal instructions
- Microsoft - Extensive information for IT personnel.
Update: Source Analysis
I have been reading up on some of the analysis of the Conficker.C source code, such as the review posted here. Together with the information provided at the Microsoft link above, I am getting a picture of some of the defensive capabilities of the software, and some of the things that may happen on April 1, when the software begins dialing out for updates. According to the analysis, the worm uses the Windows Operating System's internal mechanisms just as a browser would to resolve domain names and connect to external patch servers. However, the virus generates a list of 50,000 domain names to hide the actual location of the software creators' site. This tells me two things. One, there may be network slowdowns on April 1 from the large amount of traffic, especially DNS lookups, and two, it should be possible for software firewalls to easily identify an unrecognized application accessing the operating system methods for DNS and network connections. If that is the case, users will likely have warnings and the ability to prevent the virus from dialing home if they have a properly configured software firewall on the infected computer.
Update: Fake Patches
It has been reported that some computers infected with the Conficker.C worm have been patched to close the vulnerability that allowed the initial infection by the virus itself. It is being theorized that this has two goals; it prevents detection of the virus while it is dormant, and it prevents the system from being infected by other viruses and malware that could interfere in it's operation.
Many sites are advising that the easiest test to confirm infection is to attempt to visit www.mcafee.com, as the virus runs processes intended to prevent access to that site, and sites from several other anti-virus companies.
Update: Much ado about nothing
As I predicted above, April 1 was pretty quiet, with no major disruptions resulting from this virus.
No comments:
Post a Comment