Conficker convicted – case study
A lot of people think that the conficker worm is just another virus but when Microsoft offered a bounty for information leading to the arrest of its creator… that’s when it became a popular worldwide scare.
Nobody was an exception to conficker – consumers, businesses, even techies! As a matter of fact it was reported that as of today there are people still being infected (http://ezinearticles.com/?Conficker-Continues-to-Infect-the-Internet&id=2361893). But how does it really work? Let’s take an actual scenario where a small business experienced a conficker attack and how TechieNow.com resolved it.
The Story
The business for this case study is composed of 10 computers and 1 server. One unit, let’s say PC A, show the following symptoms:
- cannot browse the internet
- the task manager shows multiple PCUserA.exe processes
- cannot access the server
- automatic updates service was turned off
This symptoms coincide which those listed in Microsoft’s Conficker worm support site http://support.microsoft.com/kb/962007.
Several scans were performed but none seemed to work. Ultimately, PC A underwent a wipe off of its hard drive thinking that this will get rid of the problem… but no can do, it does come back even after a clean install.
It was a pretty weird experience. The problem was fixed when PC A was first disconnected from the network and then its hard drive was reformatted. Simultaneously, PC B, PC C and others are having the same dilemma.
The Solution
Researching on the causes of such an attack led to heaps of information. Several antivirus companies’ offers detection tools and Microsoft as well launched an update for conficker removal. In the end, the following tools were used:
• McAfee’s conficker detection tool http://www.mcafee.com/us/enterprise/confickertest.html
• Microsoft’s advice from http://support.microsoft.com/kb/962007
The Prevention
To stop Conficker from spreading to all systems and to prevent future occurrence, a Group Policy Object was made with the following rules:
• Remove permissions to write in the %windir%\task folder
• Remove write permissions to the svchost registry subkey
• Disable Autoplay features
Technical Information
Name: Conficker
Aliases: Win32/Conficker A, Mal/Conficker-A, Trojan.Win32.Agent.bccs, W32.Donwnadup.B, Trojan-Donwloader.Win32.Agent.aqfw, W32/Conficker.worm, Trojan:Win32/Conficker!corrupt, W32.Downadup, WORM_DOWNAD, Confickr, as named by several Security sites.
Type: Conficker is a worm that has the ability to infect other computers across a network by making the most out of vulnerability in svchost.exe. This could allow further infection when file sharing is enabled. At some cases, it propagates thru removable drives and by exploiting weak passwords.
History: The first among the family was first discovered on November 21, 2008 and the payload trigger date was November 25, 2008 and later. Microsoft had offered a reward of $250,000 on February 13, 2009 for information that leads to the arrest of the creators of the Conficker worm.
Prevention: To prevent any virus attacks to your computers, make sure that the latest security updates are applied. Install a trusted anti-virus program, turn it on and always update it.
How can Techie Now Help?
We’re specialists in Malware removal. Conficker is one of the trickiest to remove but we’re confident we can help you. If you need support come to our web page and select a service.