Conficler alert

[Canuck]

Because the worm is "evolving" - ie, its builders are updating it. A
tech guy on CBC this am claimed that what conficker seems to do on April
1 is update itself.

Sigh.

wolf k.

And CTV has this story saying that the earliest victims are the ones
with pirated copies of Windows OS:
http://www.ctv.ca/servlet/ArticleNe...conficker_worm_090401/20090401?hub=TopStories

After reading the article a thought, that perhaps Microsoft itself
created this worm, crossed my mind.

 

[~Mickey]

A friend who usually knows whereof he speaks sent this...
=========================================================
Hey everybody,

The Conficker virus is no joke about being activated April 1st. You
may already have it on your system just waiting for the date to
change. If you have it, it's much better to get rid of it before it
activates. As always, keep your "bug catchers" updated regularly.

Grab this tool directly from McAfee to scan & remove this specific
threat: http://67.97.80.71/vil/conficker_stinger/Stinger_Coficker.exe

With several variants already out there, McAfee has pledged to update
this tool daily as new variants are discovered, therefore I recommend
you RUN it directly from McAfee without saving it to your computer to
get the most current update.
=============================================================

I got a frantic call from my neighbor who told me about the alert and
about *the fix* which was to press F1, get to a command prompt, type in
MRT and press enter.
I was already running the Sophos "On Demand" scanner but tried the MRT
this am to see what it did and it brings up the Windows Malicious
Software Removal Tool which does include Win32/Conficker protection and
should be available from auto updates.

 

[Ernie B.]

get to a command prompt, type in
MRT and press enter.
I was already running the Sophos "On Demand" scanner but tried the MRT
this am to see what it did and it brings up the Windows Malicious
Software Removal Tool which does include Win32/Conficker protection and
should be available from auto updates.

Thanks for that. I've seen it in the MS updates and know it's supposed to run
on downloading but I didn't know how to call it up on demand.

 

[FromTheRafters]

And CTV has this story saying that the earliest victims are the ones
with pirated copies of Windows OS:
http://www.ctv.ca/servlet/ArticleNe...conficker_worm_090401/20090401?hub=TopStories

After reading the article a thought, that perhaps Microsoft itself
created this worm, crossed my mind.

Preposterous!

Although some of their code *is* responsible for its great success.

 

[FromTheRafters]

I got a frantic call from my neighbor who told me about the alert and
about *the fix* which was to press F1, get to a command prompt, type
in MRT and press enter.
I was already running the Sophos "On Demand" scanner but tried the MRT
this am to see what it did and it brings up the Windows Malicious
Software Removal Tool which does include Win32/Conficker protection
and should be available from auto updates.

If it runs, you don't have an active infestation. If it doesn't - you
very well may have one.

<excerpt>
The following 23 processes are immediated terminated by C's process
monitoring thread whenever they are discovered running on the victim
host:

1.. autoruns - malware removal tool

2.. avenger - antivirus / firewall

3.. confick - cleanup utilities

4.. downad - cleanup utilities
5.. filemon - security utility)

6.. gmer - rootkit detector and remover (gmer.net)

7.. hotfix - security patch or removal tools

8.. kb890 - Microsoft patch

9.. kb958 - Microsoft patch

10.. kido - security patch or removal tools
11.. klwk - Karspersky malware removal tool

12.. mbsa. - Microsoft Baseline Security Analyser

13.. mrt - Microsoft malware removal tool

14.. mrtstub - Microsoft malware removal tool
15.. ms08-06 - Microsoft patch

16.. procexp - process explorer

17.. procmon - process monitor

18.. regmon - registry monitor

19.. scct_ - unknown

20.. sysclean - Trend Micro malware removal tool

21.. tcpview - network packet analysis tool

22.. unlocker - file unlocking utility

23.. wireshark - network packet analysis tool

</excerpt>

From http://mtc.sri.com/Conficker/addendumC/index.html

 

[Char Jackson]

And CTV has this story saying that the earliest victims are the ones
with pirated copies of Windows OS:
http://www.ctv.ca/servlet/ArticleNe...conficker_worm_090401/20090401?hub=TopStories

From the article: "And because many users in these regions use
machines with pirated copies of Microsoft operating systems, they may
not be receiving the anti-virus update services that licensed Windows
users are provided with."

My question is, what possible connection is there between a pirated
copy of Windows and an inability to get AV updates? I don't see any
relation.

 

[Bert Hyman]

In Char Jackson

From the article: "And because many users in these regions use
machines with pirated copies of Microsoft operating systems, they may
not be receiving the anti-virus update services that licensed Windows
users are provided with."

My question is, what possible connection is there between a pirated
copy of Windows and an inability to get AV updates? I don't see any
relation.

Typical mass-media distortion due to the reporters knowing nothing of what
they write.

Bootlegged copies of Windows don't get access to Microsoft's myriad of
updates to Windows to fix all the vulnerabilities they keep finding.

 

[1PW]

From the article: "And because many users in these regions use
machines with pirated copies of Microsoft operating systems, they may
not be receiving the anti-virus update services that licensed Windows
users are provided with."

My question is, what possible connection is there between a pirated
copy of Windows and an inability to get AV updates? I don't see any
relation.

Hello:

Of course you're right about the AV updates. However, the reference to
pirated copies of the OS could mean that the users are keeping their WU
turned off and do not seek the OS updates that would attempt to keep the
system updated (safer?). WGA could come roaring in and drop a dime on
the user.

Hence, some users might lack MS08-067 and the Autorun fixes in an effort
to remain undiscovered by the software police.

Pete

 

[Char Jackson]

In Char Jackson


Typical mass-media distortion due to the reporters knowing nothing of what
they write.

Bootlegged copies of Windows don't get access to Microsoft's myriad of
updates to Windows to fix all the vulnerabilities they keep finding.

Thanks, but it's my understanding that even pirated copies of Windows
get all the security updates. They just don't get the non-security
stuff. And secondly, it seems to me that someone who has gone to the
trouble of pirating Windows is 99% of the way there, so it makes no
sense to me that they wouldn't do the last 1% and simply patch WGA so
that all types of updates work as expected. It's too easy to ignore.

 

[ASCII]

Hence, some users might lack MS08-067

I have a legal copy of XP Home/sp2
and without IE the patch won't apply.
....but a lot of stuff won't apply either.

 

[Virus Guy]

Thanks, but it's my understanding that even pirated copies of
Windows get all the security updates.

Micro$haft is becoming very militant with WGA (Windows Genuine
disAdvantage) and Windows Updates when it concerns XP-pro.

I don't think more than 2 or 3 months go by without WU requiring you to
download and run the latest WGA before it will let you get a look at
your list of pending updates.

I haven't yet experienced a WU session with a machine that had tipped
into "non-genuine" status, so I don't know what WU would let you
download in that regard.

When it comes to "non-genuine" status, is there just one consequence (ie
- the black "nag" screen) or can something much worse happen (like being
locked out of the desktop), and if so, what determines which case?

 

[Char Jackson]

Micro$haft is becoming very militant with WGA (Windows Genuine
disAdvantage) and Windows Updates when it concerns XP-pro.

I don't think more than 2 or 3 months go by without WU requiring you to
download and run the latest WGA before it will let you get a look at
your list of pending updates.

Oh, I get it now. You're talking about visiting the WU site while I
was thinking of sitting back and letting the security patches auto
download on patch Tuesday. That's what I meant above when I said that
even pirated copies of Windows (XP at least) get all the security
updates.

Pirated copies of XP that haven't had WGA patched won't get to see
anything when visiting the WU site, but if you patch WGA (or otherwise
make Windows legitimate) then WU opens back up completely for security
patches and other updates.

I haven't yet experienced a WU session with a machine that had tipped
into "non-genuine" status, so I don't know what WU would let you
download in that regard.

Nothing. It doesn't even show you what's available. Just the nag
screen that says you failed WGA validation.

When it comes to "non-genuine" status, is there just one consequence (ie
- the black "nag" screen) or can something much worse happen (like being
locked out of the desktop), and if so, what determines which case?

http://support.microsoft.com/kb/307890

"Activation is required in 30 days from the first day that you start
Windows XP. If you want to activate Windows on a day that is later
than the day that you install it, a Windows Activation icon appears in
the notification area. This icon periodically displays notifications
to remind you about how much time remains before you must activate.
After the 30 days has expired, you must activate Windows to continue
using Windows."

It almost sounds like you get locked out.