The discovery comes from the laboratories Trend Micro:

It appears that on April 7 the virus has changed the road again, evolving yet again.

Ivan Macalintal and his team reported the emergence of a new suspicious file of 119.296 bytes in the Windows temporary folder (% windir% \ temp).
According to data collected it appears that the virus has downloaded that update, thanks to its ability to receive new payload via peer-to-peer network of other infected hosts.

Another curious detail is that he later tried to download a second encrypted file (print.exe) from a host (goodnewsdigital-com) belonging to botnets of Waledac , an "old" knowledge of the family of Trojans, whose aim is to subtract sensitive data to users.

Besides Waledac, systems still under the control of Conficker are enabled application installations scareware as " Protect Spyware 2009 "(the same family of the most famous Antivirus 2008 and Antivirus 2009), which is nothing but a virus that masquerades virus from making you believe that your computer is infected, then push for this to buy the full version of the phantom program that will clean your PC from all threats.

And then slowly the motivation of these people it was becoming all too clear: money.

The characteristics of this variant, known as Win32 \ Conficker.E or WORM_DOWNAD.E from TrendMicro, can be found in this analysis described in the Microsoft Malware Protection Center: http://blogs.technet.com/mmpc/archive/2009/ 04/09/win32-conficker-variants-update.aspx

• 0 Comments

(Last Updated: 27/04/2009)

Index:

- ( Info Threat
- ( Avoidance
- ( Recognizing
- ( detect
- ( Remove

These days I work for the farm there was an outbreak of the virus rather than proliferating Conficker , mainly in the forms B and B + +.

While clean-up PCs domino distributing the famous tool MRT (Malicious Software Removal Tool) from Microsoft, we realized that while something else was happening: despite our efforts were proliferating new, special version of the virus, much more annoying for his brothers and apparently unknown on the Internet.

We could not help but notice the difference, since the canonical procedures for cleansing (via MRT or FixDownadup ) showed no longer sufficient: the infected computer because it was impossible to install certain software (eg Unlocker, Philemon, TCPView) and certainly not run cleaning software mentioned above, who vanished into thin air for a while after being recalled.

After we made direct contact with McAfee, with whom we have cooperated by providing a long series of reports (including also the authentic samples for analysis), the house told us to be the discoverers of a new virus variant Conficker!

Currently the last available on the McAfee DAT should implement the detection of this variant, as described on this page (updated Tuesday, March 10: a few hours ago.)

How does the Worm

Considering the matter from the profane, this variant does not differ much from previous, in that mode of infection remains fundamentally its classic configuration:

first of all is the feature to create a copy of itself with the attribute of a hidden file in c: \% windir% \ system32 \%% nome_random. dll.

This file has permissions Everyone execution-only and as it has a size of 86.016 bytes applicant (compared to the previous 165.600 B).

The library (as usual) is loaded by a system service and then uses the svchost.exe process to hide its presence.

viene infatti iniettata In the netsvcs key under HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Svchost it is injected a vicious rumor that can also take great similarity with those features of the Windows default.

As it happened, you might be facing a bogus entry netsvcs TrkTime easy to confuse with the real rather TrkWks (Distributed Link Tracking Client service).

How to Recognize

As I said, this variation occurs in system32 with a. Dll file with a size of 86.016 bytes applicant.

Other sizes are known: 103.936 bytes | bytes 164.160 | 157.479 bytes | 84.992 bytes (gen.D)

This feature allows us to quickly verify the presence thanks to the dos command

c: \> dir / A: H c: \ windows \ system32 \ *. dll

attribute / A: H extracts only the invisible files in the folder and a clean PC should return the message "File Not Found".

Council also groped the list of files marked "system, like this:

c: \> dir / a: S c: \ windows \ system32 \ *. dll

Why dos command? because Conficker prevents the display of invisible files and advanced system.

The file can also have certain access permissions as the only SYNCHRONIZATION FILE_EXECUTE and for the Everyone group. To check, use the command:

c: \> cacls c: \% windir% \ system32 \%% nome_lib. dll

The conficker also disables some of the following services:

• Automatic Updates (wuauserv)
• Server
• Background Intelligent Transfer (BITS)
• Security Center (wscsvc)
• Error Reporting Service (ERSvc)

With special snap-in windows you can quickly check the status of the latter: Start -> Run -> services.msc

Updated:

From one of the boys conficker working group , Joe Stewart, comes a website (eye chart), which aims to help novice users to identify this virus on their PC:

http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

And here is a second tool for online check written by Leder and Werner, based on the idea of Joe Stewart

http://four.cs.uni-bonn.de/fileadmin/user_upload/werner/cfdetector/

How to Remove

Since there will not be able to install most of the security applications (such as those provided by sysinternals), connect to Microsoft sites and those of the various houses virus, but not run various removal tools, we use a small but powerful utility freeware called "File & Folder unlocker" available at this address . The execution of that fact is not fortunately intercepted by the virus (and in any case, just rename the executable "pippo.exe" as the worm blocked processes whose name contains certain words).

As the name suggests, File & Folder Unlocker allows you to search files in use by system processes and release them on the fly. In our case we will look into the box the name of files found in the System32 hostile, restituitaci then clicking on the correspondence with the right button and then click "Unlock Objects".

At this point, having made the library that intercepts all our calls, we can finally do one of the tools listed below.

Updated:

Whether to grant a library with F & F Unlocker is not sufficient to run the software cleaning, I recommend first change the file permissions as follows:

c: \> echo y | cacls c: \% windir% \ system32 \%% nome_lib. dll / C / P Everyone: F

c: \> attrib-s-h-rc: \% windir% \ system32 \%% nome_lib. dll

Then delete the file, reboot the system and use one of the tools listed below for the complete cleaning and scanning local drives because the virus is "copy" in locations such as the temporary and the system (System Volume Information).

In addition (as described unfounded) always recommend the use of software , though developing, developed and shared by Ledner and Werner 's Honeynet Project in light of their latest discoveries.

Removal Tool Released Recently

• BitDefender: http://www.bdtools.net/
• Kaspersky: http://www.kaspersky.com/technews?id=203038750
• Enigma Software: http://www.enigmasoftware.com/support/conficker-removal/
• F-Secure: http://www.f-secure.com/weblog/archives/00001588.html
• Symantec: http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99
• Mcafee: http://service.mcafee.com/faqdocument.aspx?id=TS100621
• TrendMicro: http://www.trendmicro.com/ftp/products/pattern/spyware/fixtool/SysClean-WORM_DOWNAD.zip (needs the updated pattern Ssapiptn.Da5 and lpt $ vpn.XXX )
• Sophos: http://www.sophos.com/kb/54457.html
• Leder and Werner University of Bonn http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/

After cleaning, remember to still run a full scan with your antivirus software, but in particular check that the folders C: \ System Volume Information \ (invisible and system),% TEMP% c: \% programfiles% \ Internet Explorer \ c: \% programfiles% \ Movie Maker \ there are no more traces of the virus.

How to protect yourself from the spread

Since the virus is spreading lately due to its characteristic of infecting any external devices connected to your PC (USB stick, external HD, MP3 players etc. ..), the first sensible thing to do is disable the Windows feature to interpret Autorun.inf file

To do this simply create a file with. REG contains these lines, and run by accepting the changes:

REGEDIT4
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ IniFileMapping \ Autorun.inf]
@ = "@ SYS: DoesNotExist"

Besides this is certainly important

- Avoid the use of trivial passwords for the local administrative user: read here .

- Avoid using shared folders with write access Everyone

- Install the security patches available in Security Bulletin MS08-067

Information and Insights on the Threat

• Detailed analysis of SRI International: http://mtc.sri.com/Conficker/
• Another analysis by SRI, dedicated to this variant: http://mtc.sri.com/Conficker/addendumC/index.html
• Instructions for detection: http://www.cert.at/static/conficker/TR_Conficker_Detection.pdf
• As spreads: https: / / forums2.symantec.com/t5/Malicious-Code/Downadup-Locking-Itself-Out/ba-p/389837
• Tiny Honeypot: http://www.sans.org/reading_room/whitepapers/detection/enhancing_ids_using_tiny_honeypot_1665?show=1665.php&cat=detection
• Restoring Safe Mode on infected PCs: http://blog.didierstevens.com/2007/02/19/restoring-safe-mode-with-a-reg-file/
• Manual removal and deployment on Microsoft networks (see: conficker_email_template) http://blogs.msdn.com/nickmac/archive/2009/01/14/malicious-software-removal-tool-removes-win32-conficker-b.aspx
• The conficker prepares for April 1: http://community.ca.com/blogs/securityadvisor/archive/2009/03/11/new-conficker-variant-not-fooling-around.aspx
• F-Secure FAQ: http://www.f-secure.com/weblog/archives/00001636.html

Infection Detection

Tillman must thank Werner and Felix Leder, two researchers are part of ' Honeynet Project , now if you can detect this annoying worm easily even in large networks.

What they discovered these guys is just a small sign that the virus leaves the answers to certain RPC calls. They found that we can define the 'fingerprint of the virus, a feature that now makes it extremely simple procedures for detection: it is possible to detect threats in our network in a totally anonymous (no authentication required during the audit and it is possible do any network or domain), especially remote and very fast.

Found, however, the detailed report of their research at this address .

How do you detect it?

I refer to more authoritative sources, where you'll find detailed information strictly in English:

Detection with the tool Nmap , which incorporates the latest version of the virus signatures issued by Honeynet Project:

• http://nmap.org/nsedoc/scripts/smb-check-vulns.html
• http://www.net-security.org/secworld.php?id=7252
• http://www.net-security.org/software.php?id=1
• http://www.skullsecurity.org/blog/?p=209

In the following you find the link to the article written by two researchers at the University of Bonn. Here you will find not only tools and scripts for detection but also a number of utilities for total disinfection ( eg memory ) of hosts infected by several variants of the worm:

http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/

Updated:

It 'was recently discovered a technique that exploits the mechanism p2p owner of viruses to detect hosts infected by variants C and above, since it was the first to incorporate this update mechanism. The script to Nmap is already integrated in the ' latest version .

• http://www.skullsecurity.org/blog/?p=230 (New)

• 7 comments