Conficker.C Worm

[S.P.Q.R. Praetorian]

http://tech.yahoo.com/blogs/null/128...-come-april-1/

How exactly is this thing going to strike? Visiting an infected website?

[Strelok]

No offense to you personally, but why are you so concerned about security, SPQR? I noticed all you talk about (usually) is PC security and seem to have no problem sacrificing performance and convenience for it

I honestly don't care about the latest threats, I use my Router & Windows Firewall, Mozilla Firefox, get all the latest updates, use NoScript addon for Firefox, etc. I basically have a good defense and will install my scanners once in a while and then uninstall them. I also disable a lot of services that are a security risk (such as Remote Registry)

Anyways, interesting news. +rep for the notice.

[S.P.Q.R. Praetorian]

No offense to you personally, but why are you so concerned about security, SPQR? I noticed all you talk about (usually) is PC security and seem to have no problem sacrificing performance and convenience for it

I honestly don't care about the latest threats, I use my Router & Windows Firewall, Mozilla Firefox, get all the latest updates, use NoScript addon for Firefox, etc. I basically have a good defense and will install my scanners once in a while and then uninstall them. I also disable a lot of services that are a security risk (such as Remote Registry)

Anyways, interesting news. +rep for the notice.

1. I am the opposite. I keep my PC free of tons of crap scanners that I dont need.
2. I did not ask how you were prepared for it.
3. I asked how this is going to strike.

[Strelok]

1. I am the opposite. I keep my PC free of tons of crap scanners that I dont need.
2. I did not ask how you were prepared for it.
3. I asked how this is going to strike.

1. Last time I checked you always liked AVG8, that's "crap" enough for me. I wasn't making a personal attack anyways.

2. So what if you didn't "ask" me, I just said it as a comment, do you look at Tw Center Basement subforum, make a topic and say "I didn't ask to talk about technology"? Of course you don't.

3. No answer for you. At least I gave you rep

[Doctor]

Ever since I read this article it has me paranoid, I hate the that made it. I don't see the point, and I most definatly never will.

[S.P.Q.R. Praetorian]

1. Last time I checked you always liked AVG8, that's "crap" enough for me. I wasn't making a personal attack anyways.

2. So what if you didn't "ask" me, I just said it as a comment, do you look at Tw Center Basement subforum, make a topic and say "I didn't ask to talk about technology"? Of course you don't.

3. No answer for you. At least I gave you rep

1. I dont use AVG8. I use AVG8.5 It is somewhat better.

2. True. Ill give you that.

3. Thanks! I love rep!

Ever since I read this article it has me paranoid, I hate the that made it. I don't see the point, and I most definatly never will.

Your not the only one. This is the only thing I could find on it, but I still dont know how it will strike. If it has more ways than just infecting you by visiting a bad website, this is going to be the major craps. I strongly recommend you get one of the following removal tools just in case.

BTW, I would love to know who wrote this worm because then M$ would give me the $250,000 bounty.

Just when you might have thought it was safe to start using USB flash drives at work again, the third, and by all accounts, most fiendish version of the Conficker worm that's infected millions of PCs already is set to attack on April 1st, Ars Technica reports. Conficker.C's designed to hide itself even more thoroughly than its older siblings Conficker.A and Conficker.B, using tricks such as:

• Inserting itself into as many as five Windows-related folders such as System, Movie Maker, Internet Explorer, and others (under a random name, of course)
• Creating access control entries and locking the file(s)
• Registers dummy services using a "one (name) from column A, one from column B, and two from column C" method

To find out what happens when Conficker.C strikes, join us after the jump.
Conficker.C's payload makes it harder than ever to recover from being infected:

• Deactivates Windows Security Center notifications
• Prevents restart in Safe Mode
• Prevents Windows Defender from running at system startup
• Deletes all system restore points
• Disables various error-reporting and security services
• Terminates over twenty security-related processes
• Blocks DNS queries
• Blocks access to security and antivirus websites
• And, to top it all off, Conficker.C can choose from a list of 500 domains to contact out of a pool of 50,000 (way up from Conficker.B's 32 out of 250).

See the Win32/Conficker.C writeup at CA's website for complete technical details.
Microsoft, Panda Software, Symantec, and McAfee are just a few of the vendors that have now updated their threat encyclopedias to include Conficker.C (it's sometimes listed as Conficker.B++). Since Conficker.B and the new Conficker.C are designed to block access to antivirus websites, you might want to download removal tools now - just in case. You can get one developed by BitDefender from the Downadup.org website (Downadup is the alternative name for Conficker); however, keep in mind that ArsTechnica isn't certain if it will remove Conficker.C (it will remove older versions).
Naturally, prevention's way better than curing a nasty worm outbreak. To learn more about preventing infections, and for links to additional removal tools, see our previous Conficker articles

[Wheelchair]

Wouldnt a simple reformat fix everything? jeeze.

[S.P.Q.R. Praetorian]

Wouldnt a simple reformat fix everything? jeeze.

1. That is not the point.
2. According to some, that is NOT a solution to the issue.
3. I dont have any backup drive for all of my very precious data, and this worm loves external drives anyway.

[Simetrical]

According to the various security alerts, the virus can take advantage of bugs in file sharing, removable drives, or weak administrator passwords. It doesn't seem to use websites as an attack vector.

Wouldnt a simple reformat fix everything? jeeze.

The point is that most people aren't going to notice and do that. There's currently a network of infected machines numbering in probably the tens of thousands, which can be used by their (unknown, criminal) controllers to do whatever they want. They could take down major websites for pay, mine and sell vast amounts of private data, or do a huge amount of gratuitous damage by just wiping everyone's drives. On April 1 it's going to download an update, and nobody knows what it will do. This isn't your average stupid adware infection, it's very serious and professional malicious code that's created a very large botnet in a quite short time.

[Strelok]

According to the various security alerts, the virus can take advantage of bugs in file sharing, removable drives, or weak administrator passwords. It doesn't seem to use websites as an attack vector.

I have none of those 3! All file sharing capabilities disabled, no removeable drives and a strong administrator password!

There's currently a network of infected machines numbering in probably the tens of thousands, which can be used by their (unknown, criminal) controllers to do whatever they want

He was more talking about the power/standard user who just likes to dick around and do stuff and has no problem reinstalling all his stuff. Wheelchair does have a point, people care about security a little bit too much. If you have very sensitive data (child rape, nuclear launch codes) I think you would be concerned. If the reliability of your computer decides the fate of your company, then yes, but if your just messin' around all day then theres little need to worry.

[Strelok]

Is it possible that it can be sitting in your BIOS? I'm thinking of wiping my HDD & and re-flashing my BIOS clean and not using my PC on April 1st. After doing some more research, I'm worried.

I guess I'll wipe all my flash drives & HDD's and my SSD, including BIOS and install Ubuntu for the day

Theres so many ways that I would know if it disabled stuff, especially UAC, I doubt I will be too affected. I also have many services disabled that are general security risks (such as Server)

[Simetrical]

He was more talking about the power/standard user who just likes to dick around and do stuff and has no problem reinstalling all his stuff. Wheelchair does have a point, people care about security a little bit too much. If you have very sensitive data (child rape, nuclear launch codes) I think you would be concerned. If the reliability of your computer decides the fate of your company, then yes, but if your just messin' around all day then theres little need to worry.

The problem is that your computer can still be used to attack others in botnets, send out e-mail spam, and other malicious things. Compromised computers hurt everyone, not just their owners.

Is it possible that it can be sitting in your BIOS?

No, this virus doesn't do that. Some have been demoed that do, but my understanding is it's fairly hard due to the heterogeneity of motherboards. Windows is a very homogeneous target, by design.

[S.P.Q.R. Praetorian]

So what exactly is your opinion on staying protected from this Sim?

[Strelok]

So what exactly is your opinion on staying protected from this Sim?

Uninstall Windows and use Linux

Microsoft offers a free online-scan with their OneCare utility, and many of the popular scanners have updated their definitions for this thing.

[Freddie]

So what exactly is your opinion on staying protected from this Sim?

Don't get to worked up about it, let your anti virus and windows update to their jobs and you should fine. I blame the press for creating to much hysteria over these things like this.

[SonOfCrusader76]

Don't get to worked up about it, let your anti virus and windows update to their jobs and you should fine. I blame the press for creating to much hysteria over these things like this.

Thank God for a voice of reason! I was beginning to get a bit concerned about this!

[S.P.Q.R. Praetorian]

Uninstall Windows and use Linux

That is the most rediculous crap Ive ever heard.

Don't get to worked up about it, let your anti virus and windows update to their jobs and you should fine. I blame the press for creating to much hysteria over these things like this.

The entire French navy airforce, RAF, and Royal Navy were immobilized for about a week from its weaker sibling ConfickerB, and you think I shouldnt be worried?

[Freddie]

The entire French navy airforce, RAF, and Royal Navy were immobilized for about a week from its weaker sibling ConfickerB, and you think I shouldnt be worried?

Well lets just say I'm not worried, come April 1st this whole thing will have blown over and will have been forgotten about.

[Strelok]

The entire French navy airforce, RAF, and Royal Navy were immobilized for about a week from its weaker sibling ConfickerB, and you think I shouldnt be worried?

Just about every scanner out there should have the definition update for Conficker.C. Run a deep scan with whatever you pick and you are basically in the clear. If you really are concerned, format all of your drives and then if you still feel unsafe, install a Linux distro since this is a Windows only worm.

That is the most rediculous crap Ive ever heard.

Explain how it's rediculous.

[Simetrical]

Uninstall Windows and use Linux

Bingo!

Don't get to worked up about it, let your anti virus and windows update to their jobs and you should fine. I blame the press for creating to much hysteria over these things like this.

It is not hysteria. The botnet is probably millions strong. It puts a tremendous amount of power in the hands of criminals. Your computer might not get infected, but that's not the point. We're probably talking about the ability to disable entire countries' Internet access by DDoS. Not big countries like the US or China, but entire countries nonetheless. And these people are almost certainly selling usage rights to the highest bidder. We can only hope that they'll be content with just installing malware and taking down a few unimportant websites instead of causing some real havoc ― they could probably cause billions of dollars' worth of damages.

Well lets just say I'm not worried, come April 1st this whole thing will have blown over and will have been forgotten about.

Attention from experts will only blow over if the botnet dies, like if all its users reinstall or upgrade Windows. The media, of course, is fickle about this kind of thing, but security researchers pay close attention to large botnets as long as they exist, with good reason.