The Downadup, or Conficker, infection is a worm that predominantly spreads via exploiting the MS08-067 Windows vulnerability, but also includes the ability to infect other computers via network shares and removable media. Not since the Sasser and MSBlaster worms have we seen such a widespread infection as we are seeing with the Downadup worm. In fact, according to anti-virus vendor, F-Secure, the Downadup worm has infected over 8.9 million infected computers. Microsoft has addressed the problem by releasing a patch to fix the Windows vulnerability, but there are still many computers that do not have this patch installed, and thus the worm has been able to propagate throughout the world.
When installed, Conficker / Downadup will copy itself to your C:\Windows\System32 folder as a random named DLL file. If it has problems copying itself to the System32 folder, it may instead copy itself to the %ProgramFiles%\Internet Explorer or %ProgramFiles%\Movie Maker folders. It will then create a Windows service that automatically loads this DLL via svchost.exe, which is a legitimate file, every time you turn on your computer. The infection will then change a variety of Windows settings that will allow it to efficiently infect other computers over your network or the Internet.
Once the infection is running, you will find that you are no longer able to access a variety of sites such as Microsoft.com and many anti-virus vendors. It does this so that you cannot download removal tools or update your anti-virus programs. It will then perform the following actions in no specific order:
* Stop and start System Restore in order to remove all your current System Restore points so that you cannot roll back to a previous date where your computer was working properly.
* Check for Internet connectivity by attempting to connect to one of the following sites:
o aol.com
o cnn.com
o ebay.com
o msn.com
o myspace.com
* Attempts to determine the infection computer's IP address by visiting one of the following sites:
o http://www.getmyip.org
o http://getmyip.co.uk
o http://checkip.dyndns.org
o http://www.whatismyip.com/
* Download other files to be used as necessary.
* Scan the infected computer's network for vulnerable computers and try to infect them.
Some symptoms that may hint that you are infected with this malware are as follows:
* Anti-malware software stating you are infected with infections using the following names:
o Net-Worm.Win32.Kido
o W32/Conficker.worm.gen
o Worm.Conficker
o W32.Downadup
o W32/Downadup.AL
o W32/Confick-A
o Win32/Conficker.A
o Mal/Conficker
o Worm:Win32/Conficker.B
o Win32.Worm.Downadup.Gen
* Automatic updates no longer working.
* Anti-virus software is no longer able to update itself.
* Unable to access a variety of security sites, such as anti-virus software companies.
* Random svchost.exe errors.
Automated Removal for Downadup and Conficker using BitDefender's Anti-Downadup tool:
1. Print out these instructions as we will need to close every window that is open later in the fix.
2. Due to the fact that Downadup and Conficker do not allow you to connect to Microsoft and a variety of security sites you must first download the Windows patch and the removal tool from another computer and transfer the file to your infected PC. On a clean computer, download BitDefender's Anti-Downadup tool from the following location and save the file to your desktop. The current name of the file is bd_rem_tool.zip.
BitDefender's Conficker Removal Tool
3. Next visit the following link and download the KB958644/MS08-067 security patch for your particular Windows operating system:
MS08-067 Patch Download Link
Look through the list and click on the link that corresponds to the version of Windows that is running on the infected machine. Then download the file from the page that opens and save it your desktop.
4. Now copy bd_rem_tool.zip and the Windows patch file to a floppy, CD, or USB drive so we can copy it to the infected PC.
5. Once the files are stored on a removable device, copy it back onto your infected PC's Windows desktop.
6. Once the Windows patch and bd_rem_tool.zip file are on your infected computer's desktop, you will need to first install the Windows patch. Simply double-click on the file that you downloaded from Microsoft's web site and follow the prompts to install the patch. This will make it so your computer does not become reinfected again after we clean the current infection. If the patch is already installed, the Microsoft patch will detect that and not reinstall it.
7. Now we need to extract the files from the bd_rem_tool.zip. You can do this by right-clicking on the bd_rem_tool.zip and then selecting the Extract All... menu option.
Now that the file has finished being extracted, click on the Finish button.
8. A folder will open containing two files. These files are named bd_rem_tool_console.exe and bd_rem_tool_gui.exe. Please double-click on the bd_rem_tool_gui.exe file to start the program. When you run this program, Windows may display a warning.
If you receive this warning, please click on the Run button to continue starting Anti-Downadup on your computer. If you did not receive this warning, then Anti-Downadup should have started and you can proceed to step 8.
9. You will now see a screen prompting you to start the scan or close the program.
Please click on the Start button to have the program scan your computer and remove any Downadup and Conficker infections on your computer.
10. Anti-Downadup will now start to scan your computer and determine if you are infected.
This process can take 10 minutes, so please be patient. When it is done, if your computer is clean it will tell you so and you can close the program. Otherwise, continue with the rest of the steps.
11. When Anti-Downadup has finished scanning your computer it will prompt you to reboot your computer in order to finish the cleaning process.
Press Yes button to allow the infected computer to be rebooted. If you do not reboot your computer, you will be left with a blue screen as Explorer was terminated during the cleaning process.
12. When the computer has finished rebooting you should no longer have the Conficker or Downadup infections on your computer. To see a log of what was deleted you can open the C:\Win32.Worm.Downladup.Gen.log file in Notepad.
No comments:
Post a Comment