Microsoft Philippines Community

Word has it that this worm is going around certain regions in Asia. 

From the Microsoft Malware Protection Center

As expected, we are seeing another wave of attacks exploiting the vulnerability detailed in security bulletin MS08-067.

Early last week we blogged about MS08-067 exploits. At that time, the number of exploits in the wild was still low and they were mostly targeted attacks. However, during the weekend we started receiving customer reports for new malware that exploits this vulnerability. During the last two days that malware gained momentum and as a result we see an increased support call volume. The SHA1 hash of the malware is 0x5815B13044FC9248BF7C2DBA771F0E6496D9E536 and we detect it as Worm:Win32/Conficker.A.

Regarding the worm Worm:Win32/Conficker.B

This is what we troubleshoot yesterday, the whole day and night

The bloody patch was released in October; an out-of-band one at that (which would have already sent an administrator worth his salt a-patching).

I've a script which "tries" to identify the rogue services randomly generated by this worm (I didn't include any cleanup mechanism for lack of time):

http://badzmanaois.blogspot.com/2009/01/confickervbs-conficker-wormdownad.html

Hmmm well you should get not only the removal for the actual file but as well as the remnant files.... Patch up dude and clog down the use of removable drives and online drives.

rockshock_zid:

This is what we troubleshoot yesterday, the whole day and night

If you still have such issue buzz us we may extend some tools for you to use... for cleanup

I sure want to keep this thread alive for reason that we found significant number of Conficker/Downad Worm variants that has evolved significantly now using the original rootkit module,brute force and dictionary attack on user password, file and registry locking sequence, autorun worm addetives, DoS capability as well as DNS poisioning package all in one - with the end product of backdoor access.

Again PLEASE proceed to Windows Update ASAP and update your Latest Security Application to the most recent pattern, as well as locking down external storages alien to your infrastructure or home PC's.

Just yesterday we found 2 unique variant in South East asia.

The Jan 2009 MSRT includes the removal for Conficker.

is it possible that we have already applied the patches but there are still damages done to the computers infected?

 because from our experience after applying the patch our anti-virus stopped its autoprotect against the downadup(also known as conficker worm)

points is, is applying the patch enough or there are further steps to be done?

aside patch from microsoft, what we did is we also run removal tool from our anti virus.

FYI guys, patching alone is not a guarantee. You need to make sure that the whole network is clean. As mentioned in the articles it spreads via 4 ways generally:

1. removal drives

2. network shares

3. MS08-067 exploit

4. trying to run itself using a weak admin password list

So meaning, even if you deployed the patch, if one of these symptoms are still present, chances are it will spread out (especially if it exploits as admin account).

Also, we DO NOT recommend logging in using domain account especially domain admin accounts when cleaning up. use the local user accounts as much as possible.

Check out the Microsoft Security Bulletin MS09-001

Bump...

 

"Widespread Confickr/Downadup Worm Hard To Kill - Attack more dangerous in the potential of its scope and the way it was waged than the worm itself": Their biggest victims have been the enterprise, not the typical home user, experts note. And that could mean millions of enterprise bots. "There's still no botnet activity. But that could easily change at any given moment," says Patrik Runald, chief security advisor for F-Secure, which has been watching the worm closely. "These millions of PCs try to connect to hundreds of Websites daily, and the people behind this could easily change the behavior of an infected computer if they wanted to."  

How did enterprises fall for a worm? Security experts say poor patch management, antivirus software shortcomings, and lack of detection of outbound command and control traffic contributed to the worm's success.

sirs,

 are both downadup and downadup.b covered by MS08-067 patch?

those are just variants or so different naming convention for conficker ( as detected by other AV products ), and MS08-067 exploit is the one its using and recently other avenues as well.

Just an update there is now are 2 new variant Conficker.c and conficker.D

This would help

http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx