Immediate Warning and Notice [Conficker/Downadup Virus]

McAfee really isn't that great...

Check out av comparatives for the good anti-virus solutions.

Right click Computer and select Properties
Click Advanced System Settings on the left side.
Uncheck all drives listed and click Yes/OK on your way out.

Don't forget to re-enable it and then restart your computer so a new restore point will be created that is clean and also has backups of your registry hives, and more!

checked all computers in house and scaned no virus here

after checking the other computer and waiting for the hubby to get home and check his---4 computers all clean.

and yeah businesses are really bad about updating, as a temp in 2007 I worked in a place that was still using 98--with no plans to ever change!! and yeah no updates there
have worked in lots of businesses that wont do updates for whatever reason (cost, time etc)....its pretty scary if you work at those places and can take your computer home with you.....

When I worked for a major bank, they were using Windows 2000 in the XP/Server 2003 era.

Thank Rahja

I did a full scan with AVG free last night, but not infected with any of those, just wandering if AVG is good enough to detect it?

I think this alert actually made my computer worse off.

In the process of updating AVG, Ad-Aware, and manually updating XP, I somehow picked up a trojan that keeps popping up every couple hours.

No sign of the worm though. No registry entry, nothing from AVG, nothing from the f-downadup checker. Just this stupid trojan.

Thanks for the heads up Rahja. Scanned with a bunch of Anti-Viruses but no sign of the worm.

lol Shayne .

anyway i ran another full scan comes back clean. ... hope the free avg is as good as any paid ones...

I just checked... it's even o nthe avg main page lol... it says...

"Downadup worm infects over 9 Million PCs

AVG detects and heals all variants of the recent Downadup worm that infecting numerous PCs worldwide. Unpatched PCs are most at risk as well as networks with weak or no passwords."

Just check the main page if it helps you feel secure xD


Anyways, I always have auto updates on, but I'ma scan anyways while i'm sleeping

People can always do the free panda scan, though it doesn't disinfect everything (it does on the paid version), it should find downadup if its there (panda claims that 100k of 2000k pc's were infected by downadup that were scanned by the panda active scan)

http://www.pandasecurity.com/actives...n-US&IdPais=63

Our percentages on our poll are looking decent, but still... 1 out of every 30 PCs is infected, and most Guru users are good about using Windows updates and having an Anti Virus, and having sensible passwords thanks to our gaming backgrounds. That of course, doesn't speak for all users, but I would say at least 85% of our users are fairly good with keeping updates on their Windows installs and AVs.

So, assuming our current poll, let's put that in perspective...

Guru has ~1500 fairly active users, which means by the current poll statistics, 45 of them are currently infected with Downadup. That is 45 people that shouldn't be infected, and that hopefully will not be infected because of this thread. We can take that estimate of 45 down to 43 at least. Remember, tell as many people as you can; knowledge is power (pardon the cliché)

However, the current estimates of all users across the world that are infected is now 1 in every 12 PCs. That number of 10.2M PCs infected may seem small thinking about it, so let's say that we took the same 1,500 active guru users, and applied the current viral infection statistics, shall we?

1 in 12 = approximately 8%, but by the time I am making this post, that would probably be closer to 9% based on the current infection rate (which is astronomical at around 1% daily and growing)

So, 135 of our very active users are infected by the current world infection rates.... that is absolutely incredible.

In other news regarding Downadup/Conficker:

The U.K's Ministry of Defence (MoD) has been infected. They have been battling the sinister worm for 2 weeks now. They are curing the infections, but as fast as they cure it, it reinfects cured PCs and infects new networks. Currently, it has even spread into the network systems on the Royal Navy's submarines (not the targeting or operations systems, thank god) The level of information that can be accessed currently is only rated as 'Restricted', but if the infection continues to spread, it could access Classified files and more.

In addition, many public hospital networks have been badly infected, with some hospitals reporting 800+ of their machines being infected with Downadup variant C (the most virulent and mutated strain yet). Downadup poses a major security risk on this level, because of confidential patient files it can access that contain a plethora of personal information, as well as alarm codes for pharmacy access. The hospitals in question are currently, desperately trying to scrub the virus from their networks, but again, it is quite difficult given the way and speed at which Downadup can mutate and adapt to attempts to remove it.



But all hope is not lost. If analysts predictions are correct, the rate of infection should come to its peak within the next 14-16 days. However, the downside is that if the hackers/creators decide to flip the switch prior to mass removal, they will have the largest botnet ever recorded to intrude what they want, on their terms. Currently, the world's largest botnet has a maximum of 175,000 PCs under its control, and is responsible for most of the junk email (chain letters, pornography, viagra, magazine ads, etc) that you might receive in your email/spam folder.

To put it in perspective.... the largest botnet @ 175,000 PCs controlled is 1/85th the power of the estimated peak of Downadup's, that is estimated to reach 15M PCs in the next 2 weeks (by some estimates, 1 in every 3 PCs will be infected, meaning more on the order of 25M)

With 25 millions PCs in its control, Downadup could potentially be the worst cyber terror weapon we have ever seen. However, it may just be a scare tactic, to show the world that hackers are not quelled, and are just as powerful if not more powerful now, than they were 5-8 years ago. In the end, what we all should hope is that businesses and all home users learn, across the world, that updating their software and keeping their networks secure is of the utmost importance.

Thanks Rahja for the warning; I had done a complete scan just a few days ago but did it again anyway on my network (only three computers so far). Nice and clean.
To everyone not believing they are at risk; this IS a serious event, this bot-net has potential to bring the internet to it's knees in minutes if activated. Imagine a DoS attack against google, yahoo or network solution's servers; all at the same time. This Botnet has that potential.

That's kinda inaccurate. Being infected by files such as MP3's pretty much wont happen. MP3's are just compressed audio samples with maybe some small bits of text for tagging, they contain no data to be executed. The only way a virus spreading through an mp3 would be probable is if the mp3 files were contained in an infected exe you had to run to extract them. So basically.. if this infection comes from a download, it's not coming from an mp3 file.


As for this virus warning. eh, i see none of the symptoms at all so it doesn't seem necessary to do a full scan. Especially since i've only had a virus actually get passed me and cause any problem a mere 1 time in the 7 years i've had my own pc. And even then it was dealt with and all was back to normal in less than an hour. So i'm not worried.

The virus itself isn't an MP3. It can appear as one, by manipulating windows into making itself appear as a folder, file type, etc. Though, its most common tactic is to appear as a root folder, it can, in fact, appear as as various filetypes with randomly generated 5-8 digit names. Conficker B has been dealt with, but a few mutations have been known to do this. Conficker C has developed the uncanny root folder auto run trick... which is worst of all.

I just did a full system scan with AVG, nothing viral turned up. So I went to regedit in my Windows Vista 64bit OS, and followed this path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\

However, there is no "netsvc" directory within the Services directory. Is it possible that it's labeled as something else in Vista?

EDIT: I currently checked my brother's PC running XP, and he also does not have the "netsvc" directory.

thanks! very much. i did another full scan lol this is the third time nothing .

Will a complete computer format sort it out?

Thanks for the heads up, I'll be sure to check my laptop.

Edit: I'm under the assumption that I'm not infected. I don't have any anti-whatever except the stuff you get from Windows (I find it makes my already incredibly slow laptop even slower), but I've found no trace using the program built against this virus that you posted in the OP and checking the Regedit program. I've yet to do a deep scan, so I guess I'll get to it. Thanks again.

Ok, I odn't know if this is related but take my word fro this and hold it true.

I was on my commputer, january 10 I tihnk and my computer does this.
1. Cant update
1a. I try system restore, it freezes.
2.I scan it, it freezes.
I hit my head on the desk and force a restore with disk, it refuses.
3.I reinstall it, it freezes.
I look to it and shake my head grabbing the good old Killdisk.
4.I format the sucker, 3 times.
It worked!!

Thats my story, um, the numbers mean sometihng I did to it, the other is the reaction.
Thats my story, and trust me, if that was the worm, its a beast, make a killdisk or disk formatting floppy while you still can.

All is good here, but I tremble when I think of 9 out of 10 ppl that I know, who generally speaking don't know the first thing about computer security or maintenance work in general.

Thanks for the post Rahja.... I usually ignore such things, but I figured this was serious when I saw the GURU mods posting about it.

For those who say - i looked for the registry entry and it wasnt there - , its stated in first post that the registry entry May or May Not be present .
Thought id be kind enough to point that out as it appears no1 else has and it may help those stop worrying.

Gj Rahja

should i get rid of my shared folders

No?

Just scan your PC with a good antivir.

And for me, just to be on a safe side, I downloaded that remover and it has found nothing.

Nothing in registry, too.

I'm scanning at the moment, but looking into my registry, I found:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Netman\Parameters\"ServiceDll"

It's not the \netsvcs\Parameters\"ServiceDll" but looks like I'll be downloading the remover just in case.

That's the key for the Network Connections service and is therefore safe.

And shouldn't be deleted

Bad news guys and girls. The virus Conficker.B (the network virulent strain with USB autoplay infection) has some additional removal steps. You need to check out this article for exact methods to remove it. I am adding it to the opening post as well.

http://support.microsoft.com/kb/962007

^ Double check registry as they instruct.

Also, current infection rates are in. Estimates are 15 million PCs on the most conservative estimates, 25 million on the most liberal. That said, it is safe to assume 19-21M PCs are current infected with Conficker. That accounts for 1 in every 10-11 PCs.

More notes on Conficker:
http://www.microsoft.com/security/po...32%2fConficker

How/where can you update your "Windows Install"? I really don't know what that is...

My Antivirus is fine, still auto-updates. Now I'm doing one of those full deep scans.
My anti-virus is NOD32, I know that you normally have to pay for it, but I've the trial version, normally that's the same, just for free for a certain amount of days.


<font color="FireBrick"><strong>Moderator Edit: </font></strong> References to illegal software have been removed. We don't discuss that in the Tech Corner. Thanks!

We don't promote or recommend hacking any software. Hacked software is very likely not to work at 100%, and this should be kept in mind especially when dealing with the security of your system and network. I would recommend that you either purchase a legitimate subscription, or use one of the valid free anti-virus software packages that are available.

That means run Windows Update. If you don't know how to do that, the quickest way to explain it is to direct you to http://update.microsoft.com/microsof...6/default.aspx

And lose that pirated NOD32 - seriously.

Avira AntiVir Personal is free, uses minimal resources, has regular updates, and it has proven to have a consistent high detection rate. Removed reference to software manipulation.

Can I assume that I don't have the worm if I can access the security websites the worm blocks?

No, you can never make assumptions regarding your online security. If after checking the registry as indicated in the link from Microsoft, being able to access F-Secure's site, and running a full deep anti virus scan of ALL your drives, then you can be sure you don't have it.

I'm sorry about the illegal thingy, won't talk about it's details again on this forum.
Thank you for the link!
And I'll think about changing my virus-scanner.(came from AVG Free, so this was sooo much better, I didn't like AVG Free, cause it's pop ups were terrible -.-)

Um, no one read my post then, yeah I tihnk I had the virus....

Ok, ty, I installed it and updated it to the last version.

But now I'm trying to uninstall NOD32, but when I restart my pc it just shows up again. Anyone knows why or what the problem is?

Yeh, I read it. You formatted and got rid of it correct? Though, we can't confirm it was Conficker causing the issue and not Storm worm or another virulent trojan.

Any chance being infected while using a program like MSN ?

I suggest if you dont got a proper virus scanner ; Install AVG Free Edition

As a server Admin in a School District here in Arizona, I have been tasked with eliminating this worm from our systems which total about 1000 PC's and servers. A daunting task considering there are only 2 others in the tech department, plus the director.

We seem to have been infected as early as the 15th of January. We have been working on a "fix" for the better part of 2 weeks and are just about there. Let me give you some insight as to what we are up against at this stage of infection.

1. Running MSRT or Fixdownadup (symantec) does no good. the virus simply prevents them from running.

2. Updating our anti virus version (eset) from 2.7 to 3.0 or 4.0 will work without issue using push technology. However, most PC's will not update the updated virus signatures because they cannot access the AV site.

To update the AV packages, utilize the removal tool and Windows Updates, we must kill the svchost file(s). We must visit each PC manually and use a program called Process.exe. Running this kills all svchost processes, which destabilizes the system, and pops up the shutdown command. After disabling shutdown, we run that proces a few more times to make sure the svchost does not come back. Then we run the malware tool. We then reboot the system after the malware tool finds the virus (run under a deep scan) and eliminates it. After reboot, we begin to immediately update windows with SP3, and the 38 updates after SP3. We then check for the presence of the virus in the registry (SVCHOST - netsvcs). When that is completed, we re-apply the 3 separate patches that address the conficker vunerability (directly and indirectly). Reboot a third time and test the logon. Then we document the machine by room and move onto the next room, rinse and repeat.

The longer this virus remains in play, the more damage it causes. I have group policy logon scripts that no longer run. Manually running those scripts at this moment results in a 5 to 10 minute delay in execution of those scripts, if they run at all. They are visual basic scripts, not batch files. I am hoping as more computers are repaired, script functionality returns because I have seen nothing on how to restore script functionality on the internet. Time on each PC from start to finish takes about an hour depending on the # of files on the PC and how deeply infected the PC is.

It was decided by others to not update windows automatically because of the potential for a bad update to hurt various computers, or all of them. Let me tell you from experience and from what I and the other 2 people will be doing this entire weekend - Update your systems to the latest and greatest patches out there to keep your systems from becoming infected. A fully updated system with a fully updated AV will prevent reinfection.

No. Typically, Corporate network computers are not updated as frequently, if at all, as home based systems that rely on Automatic Updates. So the risk to home PC's is significantly reduced because they are updated more frequently.

Our PC's at the School District I work at arent updated beyond the image that was made for that particular computer model. After our Conficker disaster is under control, you can bet we will revisit that issue.

Our Anti Virus (NOD32) version 2.7 found the Conficker virus file and removed it each and every time, so we thought we were safe because the file was quarantined and deleted. *WRONG*

Our AV only prevented 1 method of infection. Conficker uses any one of at least 3 or 4 ways to infect a PC. This is why we got a late start on disinfecting our PC's because we thought our AV was catching it before it had a chance to do anything. It was only catching that one method of infection... Then after being infected for over a month, we started experiencing network congestion, domain controller slowdown, group policies not working, group policy scripts not running... yeah fun...
Never ASSUME your protected from Conficker. Verify!!!