Worm:Win32/Conficker.A (MS08-67)
An article at Microsoft gives technical details of Worm:Win32/Conficker.A which is supposed to be in wild.
The details can be briefed as follows:
Info:
Win32/Conficker.A is a worm that infects other computers across a network by exploiting a vulnerability (MS08-67) in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled.
Installation:
Adds value: ”DisplayName”With data: ”0″To subkey: HKLM\SYSTEM\CurrentControlSet\Services\vcdrlxeuAdds value: ”ServiceDll”With data: ”<system folder>\nxyme.dll”To subkey: HKLM\SYSTEM\ControlSet001\Services\vcdrlxeu\Parameters
Once a machine has been infected the worm will patch the exploited function via a simple code hook in order to prevent re-infecting a machine it has already compromised. The worm opens and listens for connection attempts on a randomly chosen port between 1024 and 10000 and bypasses Windows firewall using APIs. The worm also stops the Internet connection sharing service
Its payload is supposed to
1. Create HTTP server
2. Resets System restore point so as to make it difficult to recover using system restore.
3. Attempt to download files from hacker’s site.
What can you do to protect yourself ?
-
Enable a firewall on your computer.
-
Get the latest computer updates for all your installed software, including Security Bulletin MS08-067.
-
Use up-to-date antivirus software.
-
Use caution when opening attachments and accepting file transfers.
-
Use caution when clicking on links to web pages.
-
Protect yourself against social engineering attacks.
Similar Posts you might be interested in:
Evil particles, Information Technology, Network Security | w0lf | November 28, 2008
[...] to protect from Ms08-67 worm Posted by w0lf as Uncategorized on Jan.28, 2009 Recent outbreak of MS08-67 worm, Downadup/Conflicker has already infected more than 9 million PCs. A special thing about this [...]
is there any recent dangerous worm for Linux?! if not, why?