Description and Impact. This is a mass emailing worm that can also be spread through network files shares, removable drives, and instant messaging clients. It had a severe impact on Johns Hopkins enterprise Exchange email system yesterday, when 500-1000 users clicked the link in the email that led to the infected file being installed on their systems. While the email system has been stabilized, there is now much desktop and server remediation required. The worm writes a number of Windows registry entries and drops several executable files that may be zero-bytes in length or greater. It may also drop autorun.inf files and open.exe files on network file shares and removable drives.
Prevention, Detection and Removal. Systems running Symantec virus definitions from 9/9/2010 rev. 23 or later will be protected from the file linked in the malicious email. Systems that already have been infected WILL NOT be remediated from the damage caused by the threat. Here is a Symantec link to the virus definitions for Symantec management servers and clients:
Symantec now has an automated removal tool for this threat. You can obtain it locally here - or on Symantec's write-up linked on the title of this alert above.
The Symantec article in the link in the title above also contains a tab with manual removal steps that may apply to your situation. It is also recommended that you virus scan network file shares on file servers for files dropped by the worm, using the latest virus defs; we suggest scanning for .exe, .scr, and .inf files. The files typically seen on file shares are: Open.exe, Autorun.inf, PDF_Document21_025542010_pdf.scr
McAfee has created a standalone tool called Stinger that may help with cleanup from this threat on infected systems: see http://www.mcafee.com/us/threat_center/default.asp
DCS is employing the McAfee tool with additional scripting action through the Microsoft SCCM deployment/management suite to attempt to remedy customer systems they support. A self-extracting copy of this tool can be found on:
https://jshare.johnshopkins.edu:443/rcasert1/public_html/MailSpamFix.exe
Instructions can be found on:
https://jshare.johnshopkins.edu:443/rcasert1/public_html/MailSpamFix.pdf
System administrators who wish to deploy this using a system management or monitoring suite (such as Microsoft System Center Configuration Manager or Altiris) can use a ZIP extraction tool to unpack the contents of the self-extracting ZIP in the EXE file above.
Some IT personnel have reported that they can clean the threat using Malwarebytes (malwarebytes.org), but the setup file and the program executable name may need to be renamed in order to not be blocked from execution by the worm. Drives should be checked for the Autorun.inf and other files mentioned above.
More information will be made available with further developments.
Description and Impact. Originally slated to release its “first wave” of effects on April 1, 2009 (April Fools' Day), experts generally believe that rogue systems on the Internet may use Conficker-infected systems as a "botnet," resulting in an array of possible effects ranging from the display of pop-up windows and adware, to data theft or malicious destruction, to attempts to launch an attack on systems containing sensitive information within government, finance, or industry. The consensus to date is that the worm has been "evolving" to make itself better protected against future detection and removal.
Prevention, Detection and Removal. Symantec virus definitions dated March 11, 2009 or later detect the three known variants of the worm. Symantec also has a removal tool available for the variants of W32.Downadup.
For those who regularly apply Microsoft Windows security updates and run effective and up-to-date antivirus software is that there is little chance your computer has been infected. In October 2008, Microsoft released a critical security bulletin called MS08-067 – Vulnerability in Server Service Could Allow Remote Code Execution (958644) which prevents the Conficker worm from propagating over Windows network connections. Note that bootlegged, improperly licensed copies of Windows lose the ability to receive security updates.
Disabling the Windows “Autorun” feature can also prevent the worm from spreading if it has infected removable drives such as USB flash drives or external hard drives. A Microsoft article explains how to disable Autorun on most current versions of Windows. It is also strongly recommended that you scan removable drives using your anti-virus software.
Further Information. More information about Conficker is available from these sites:
US-CERT: United States Computer Emergency Readiness Team - summary of information and links regarding the worm
University of Bonn, Institute of Computer Science IV - tools and information on Conficker produced as part of the Honeynet Project
![[Johns Hopkins University]](/sebin/i/p/johns-hopkins-university-logo.gif){kind=logo}
![[Johns Hopkins Medicine]](/sebin/k/q/johns-hopkins-medicine-logo.gif){kind=logo}
