Lions and Tigers and Conficker? It's finally here.
Whew…. We made it past the April 1. Doomsday by some accounts if much of the press had their way. The day Conficker was going to take over our computers.
I have 7 Windows computers running all the time in my house.
I had this picture in my mind that at 12:01 AM on the morning of the 1st all of the monitors were going to light up, the keyboards would start typing by themselves, and the mice would be moving and clicking by themselves. There is more, but I’m saving it for the book.
No, really, the scare and hype, of the Conficker worm came and went without so much as a whimper.
Until Thursday. Eight days after we spent hours talking about the worm, it woke up. April 8, 2009.
The download that was expected by computers already infected with Conficker was caught by Trend Micro and was transmitted from infected machine to infected machine by the worm’s built in peer-to-peer network, meaning they could talk to each other on a private network using the Internet. It did not download it’s new payload by DNS lookup of 50,000 domain names as was previously thought.
The payload, as reported by Kaspersky Labs, is now serving up a fake anti-virus program, who’s name is not known, to remove malware for $49.95.
Also, included in the payload is an old email worm called Waledac.
Waledac embeds itself as an email attachment on email it sends out using your address book to all of the email addresses it finds on your computer. It’s also capable of harvesting from your hard disk and forwarding password information back to it’s source.
It usually sends an email that looks like a holiday card wishing Christmas and New Years greetings. But, since this is April, it may send other types of email to convince you to click on the attachment. In the past, the attachment is always ecard.exe. I don’t known yet if it will be the same file name for this outbreak.
Should you worry about this event? The awakening of Conficker and it’s cousin Waledac? Do you have a good reason to panic about this?
NOT !!!!!
Why? That’s really a good question. Think about it. (pause) What did I tell you you should do about this last week? (pause).
Oh… Ok. I’ll tell you again.
1. Make sure you have all of the Windows updates installed. Including Service Pack 3 on XP and Service Pack 1 on Vista.
2. Make sure Automatic Updates are turned on.
3. Make sure you have a modern anti-virus software, newly installed in the last 12 months. Not Norton System Works 2003 either. Make sure it is updated and running.
If your anti-virus software, not just the daily updates, is more than one year old and you either don’t want to pay for a new copy or don’t have the money, remove what you have and install the free version of Avast. You can get it by click on the download link in the menu at the top of the page. Make sure you remove you old antivirus software before you install it. There are Norton and McAfee removal tools available on the downloads page as well.
And, don’t forget to register Avast or it will expire after 60 days. It’s free to use after you register it.
4. And I am going to emphisize this again. PRACTICE SAFE SURF!
DON’T click on attachments in your email unless you have a method of verifying who sent it. I don’t care if they are pictures from your sister. Email her or call her and make sure she sent them
DON’T click on pop up windows that say you have a virus, spyware, or any ware. If the popup did not come from the anti-virus or Internet security package that is already installed on your computer. DON’T DO IT
I guess the bottom line here is that you are already protected if you follow these basic rules. You have nothing to worry about.
Prevent Conficker/Downadup From Bothering You
There is some deja vu in this story. I talked about Conficker back in January when Conficker.B made it’s way around the Internet. Now, Conficker.C is said to be released on Wednesday April 1st.
And, again, the solution to protecting yourself is the same and just as simple. So, is the removal if you have it.
Preventing Conficker from getting into your system
Here is the key. You should already be protected. Yep! If you listen to the show and actually do the things we suggest, you really will have prevented most of the problems your computer will experience. There are two problems that can cause your computer to get infected. The common cold, and YOU!
Well, maybe not the common cold.
But, if you enjoy listening to the show every week and don’t DO what we recommend almost every week, then your computer is partially or fully vulnerable to a lot of malicious infections.
Here are 3 tips that will help you prevent almost all threats from infecting your computer. This includes Conficker.
1. Make sure that you have your Windows Operating System up to date. There are a lot of people who disable automatic updates because it bugs them or because someone told them it’s better to turn it off.
Microsoft issues updates regularly to patch new security issues. You MUST turn automatic updates on.
Also, Microsoft patched the issue that allows the Conficker worm to infect your computer way back in October. Yet, at least 12 million computers have been infected. Go figure.
You can ensure that you have this particular patch by going to http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx. Scroll down and click on the version of Windows you have installed on your computer to download the patch. Make sure it is installed.
2. Next, you need to make sure that you have good active protection. Active means that it is always running, keeping an eye on activity on your computer.
This active protection I am talking about is your anti-virus program. You NEED to have a modern version of a good anti-virus and make sure automatic updates for it are turned on and it is updated.
By modern I mean that your version of Norton, McAfee, AVG, Avast, NOD32, Trend, Bit Defender, and all of the rest of the big named products should be the most current version. No more than a year old.
How much money do you spend changing the oil in your car every year? The purchase of a new copy of a good anti-virus is far cheaper. Or, you can can install one of the good free products like Avast, which I recommend and is available for download by clicking the Downloads link in the menu at the top of the blog, or AVG 8 for new machines.
At least download and install the trial version of a good anti-virus. This will give you at least 30 days of free protection.
3. Finally, avoid the Conficker.C virus. Don’t do searches with the word Conficker or Downadup. The bad guys know you will be looking for information and many sites could be infected.
Stay away from websites that you are not familiar with. Don’t fall for the removal tool tricks. Many of them are fake and will infect you computer.
Don’t use Torrent sites to download music, movies, or files.
Don’t click on attachments in email if you were not expecting them. Especially this week, verify that your sister sent you those pictures.
This worm can be spread using a USB thumb drive or external drive as well as over your
home or business network. If your protection is correct, it should catch it.
Practice safe surf.
If you follow these three methods to protect your computer, the chances are you will not become infected by Conficker or any other virus. Unless you click on something you should not.
How to remove Conficker/Downadup if you are infected.
You know if you are infected if you open any browser and try to go to one of the security companies like Symantec (Norton), McAfee, F-Secure, or any of them and you get an error something like “Page Can Not Load”.
If you need to remove Conficker, download one of the several programs in the links I have listed below and follow the instructions after you install it.
You should do a complete clean up and tune up of your computer after you remove Conficker. There will be other malware on it if Conficker was on it.
Removal Tools (Use any one of them)
I have not used all of these products. They were obtained from their
respective manufacturer sites.
If you are on a network, home or business, unplug your computer from the Internet after you download the tool and before you run it.
Bit Defender Removal Tool
Bit Defender For Computers On A Network Removal Tool
F-Secure Removal Tool
McAfee Removal Tool
Microsoft Removal Tool
Norton Removal Tool
Conficker Worm Strikes Again
Back in October, Microsoft released a patch, MS08-067 , that would block the Conficker.A worm in a special update.
Over the last couple of weeks, a new variant of this worm has been affecting customers. Microsoft detected it as Worm:Win32/Conficker.B. In addition to exploiting MS08-067 (the patch from October), this variant also uses other propagation methods; it tries to copy itself to network shares by guessing their passwords. If the password is weak, it may succeed. It also tries to spread via removable media like thumb or jump drives.
In the last few days, including January 15, 16, and 17. It has infected more than 3.5 million computers worldwide. And, it is spreading rapidly.
- Shared computers with weak passwords may get infected by the worm
- External hard disks and USB sticks may get infected by the worm
- Computers without the latest patches and updates may get infected by the worm
It is important that you update all of the computers on your business or home network that are running the any version of the Windows operating system immediately, including Windows XP, Vista, and Server Operating systems. The update will block Conficker.B from infecting your computers if it has not already!
If you have been infected by Conficker, I have a link below that will allow you to download the Microsoft Malicious Software Removal Tool directly from Savemybutt to get rid of it.
However, because the warm blocks not only the Microsoft site, but also, most major security sites, including Norton, McAfee, Trend Micro, AVG, and Avast. You will have to download the removal tool from my site on the infected machine (because it is not blocked) or onto a clean machine that is not on your network, and then install it on all machines in your network. This MUST be run, and all computers on your network, because it spreads over your network to other machines.
Click here to download the Microsoft Malicious Software Removal Tool directly from this site. Savemybutt is not be blocked by the worm. Run it on EVERY computer on your network!
Also known as by different security companies:
TA08-297A (other)
CVE-2008-4250 (other)
VU827267 (other)
Win32/Conficker.A (Computer Associates)
Mal/Conficker-A (Sophos)
Trojan.Win32.Agent.bccs (Kaspersky)
W32.Downadup.B (Symantec)
List of word, character strings, websites, and domains that are blocked (that we know of).
virus
spyware
malware
rootkit
defender
microsoft
symantec
norton
mcafee
trendmicro
sophos
panda
etrust
networkassociates
computerassociates
f-secure
kaspersky
jotti
f-prot
nod32
eset
grisoft
drweb
centralcommand
ahnlab
esafe
avast
avira
quickheal
comodo
clamav
ewido
fortinet
gdata
hacksoft
hauri
ikarus
k7computing
norman
pctools
prevx
rising
securecomputing
sunbelt
emsisoft
arcabit
cpsecure
spamhaus
castlecops
threatexpert
wilderssecurity
windowsupdate
