Original release date: March 29, 2009
Source: US-CERT
Systems Affected
- Microsoft Windows
Overview
US-CERT is aware of public reports indicating a widespread infection of the Conficker worm, which can infect a Microsoft Windows system from a thumb drive, a network share, or directly across a network if the host is not patched with MS08-067.
I. Description
The presence of a Conficker infection may be detected if a user is unable to surf to the following web sites:
- http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_ghp_link_conficker_worm
- http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx
- http://www.mcafee.com
If a user is unable to reach either of these web sites, a Conficker infection may be indicated (the most current variant of Conficker interferes with queries for these sites, preventing a user from visiting them). If a Conficker infection is suspected, the infected system should be removed from the network. Major anti-virus vendors and Microsoft have released several free tools that can verify the presence of a Conficker infection and remove the worm. Instructions for manually removing a Conficker infection from a system have been published by Microsoft in http://support.microsoft.com/kb/962007.
II. Impact
A remote, unauthenticated attacker could execute arbitrary code on a vulnerable system.
III. Solution
Instructions, support and more information on how to manually remove a Conficker/Downadup infection from a system have been published by major security vendors. Please see below for a few of those sites. Each of these vendors offers free tools that can verify the presence of a Conficker/Downadup infection and remove the worm:
Symantec:
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99
Microsoft:
http://support.microsoft.com/kb/962007
http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx
Microsoft PC Safety hotline at 1-866-PCSAFETY, for assistance.
US-CERT encourages users to prevent a Conficker/Downadup infection by ensuring all systems have the MS08-067 patch (see http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx), disabling AutoRun functionality (see http://www.us-cert.gov/cas/techalerts/TA09-020A.html), and maintaining up-to-date anti-virus software.
IV. References
- Microsoft Windows Does Not Disable AutoRun Properly -
http://www.us-cert.gov/cas/techalerts/TA09-020A.html - Virus alert about the Win32/Conficker.B worm -
http://support.microsoft.com/kb/962007 - Microsoft Security Bulletin MS08-067 – Critical -
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx - MS08-067: Vulnerability in Server service could allow remote code execution -
http://support.microsoft.com/kb/958644 - The Conficker Worm -
http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm - W32/Conficker.worm -
http://us.mcafee.com/root/campaign.asp?cid=54857 - W32.Downadup Removal Tool -
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99
