This is by far the most common worm I see on Windows systems at the moment.
If you are watching the network traffic the symptom you will see is that there are calls to the website http://Trafficconverter.biz
The worm utilises a flaw in Windows dating back to 2008. This is a classic example of poor patching and incomplete security. Of course, also some clever programming from the worm authors.
MS08-067 basically describes a mechanism where a vulnerable system will run arbitrary code (of the assailants choice) when received from the network in a particular fashion (“carefully crafted RPC requests”). A long list of Windows (2000 SP4, XP SP2, XP SP3, XP Pro, 2003 SP1, 2003 SP2, Vista, 2008 plus x64 variants of all these) versions are vulnerable and that was the secret of the initial run of infections.
But the worm is capable of creating hooks on the system that allow it to reinstall itself and occasionally install copies on systems that are not vulnerable to the original flaw.
The only way I have so far found that is 100% effective is:
- Take every PC/Server/LapTop machine that may have been exposed off the network.
- Scan every system thoroughly through a recent Conficker Scanner.
- Run the most recent removal tool available on all infected systems.
- Do not allow any system onto that clean network unless it has been scanned/cleaned.
- Patch every single machine.
- Update antivirus on all system.
- Disable AutoRun on every system.
- Scan for unusual HTTP ports on PCs (another symptom of infection).
- Ban LapTop users from connecting to untrusted networks, including their home network.
If this isn’t done then the worm, unfortunately, keeps reappearing.
Massively disruptive beast.
On the positive side, the Russian website mentioned above is currently live but no longer serving malicious code. It is also detected by most antivirus and antimalware tools.
Sophos: Conficker removal tool
Kaspersky: Conficker removal tool
– Posted using BlogPress