Hi All

Win32/Conficker.B is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.Remember even one unpatched machine is enough to have this worm spread through the entire network.Ms08-67 worm is spreading infection over millions of computers.

http://www.f-secure.com/weblog/archives/00001579.html

According to the link above, around 16,497 IPs (and not only users. 1 IP can also represent 1 organization) are infected in India. India stands 4th most affected country with China holding 1st position (as always) with around 38,277 IPs infected.

F-Secure posted some interesting information about the number of infections which is almost certainly in millions (and who knows how many machines will stay infected as the owners will not even notice anything). One of the reasons for infecting so many machines is that Conficker uses multiple infection vectors:

1.It exploits the MS08-067 vulnerability,

2.It brute forces Administrator passwords on local networks and spreads through ADMIN$ shares and finally

3.It infects removable devices and network shares by creating a special autorun.inf file and dropping its own DLL on the device.

WORM_DOWNAD.AD drops a copy of itself in the Recycler folder (Recycle Bin) of all available removable and network drives along with obuscated inf file.More details about this special autorun.inf file can be found here:

http://www.f-secure.com/weblog/archives/00001575.html

Administrators should disable both autorun AND autoplay.
An interesting case of social engineering by the worm.

http://isc.sans.org/diary.html?storyid=5695

F-Secure provides free removal tools for MS08-67 worms

ftp://ftp.f-secure.com/anti-virus/tools/beta/fsmrt.zip
ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip

Even microsoft has released an updated version of MSRT which can be downloaded from :

http://www.microsoft.com/security/malwareremove/default.mspx

According to the microsoft blog, the following system changes may indicate the presence of this malware:

• The following services are disabled or fail to run:
Windows Update Service
Background Intelligent Transfer Service
Windows Defender
Windows Error Reporting Services

The site has provided more details here:

http://support.microsoft.com/kb/962007

So the tag line is: System Admin team has a lot a work to do. Even if you have proper centralized patch management system, do scan for any unpatched machine using nessus or any other tool. If you find machines are still unpatched, push the admin to patch it immediately. If he fails to do so, beat him up till patches all the machines.(But before that please check if its in your Scope of work )

Moral: Patch all the machines with latests security patches, may be OS or application level.

Similar Posts you might be interested in:

• Conficker arrest!!!
• Tips to protect from Ms08-67 worm
• Worm:Win32/Conficker.A (MS08-67)

One Response to “DOWNAD.AD/Conficker- MS08-67 worms”

1. str0ss says:

   July 14, 2009 at 11:06 am

   If your system is infected with Conficker worm, access to update.microsoft.com and other security sites mentioned will be blocked.
   For I personally recommend to restart the DNSclient process manually. then downloading a fresh version of “microsoft malware removal tool” fromhttp://support.microsoft.com/kb/890830. Then scan the entire system.