Bodzilla
January 22nd, 2009, 02:02 AM
VERY IMPORTANT: READ EVERYTHING IN THIS POST.
Detailed in this post is extremely important regarding your PC's security. Recently, a very potent, and malicious worm [a type of virus] has been discovered. This worm goes by several aliases, including Downadup, Conficker, or Kido; most commonly known as Downadup or Conficker.
This isn't your typical virus or worm. It can mask itself as anything it sees fit, and can go directly into Root directories. Method of infection can be anything from an infected file you downloaded such as a WMV or MP3, or as sinister as plugging in your USB drive (if it was infected from a public location like the library or school/work) and Windows auto running the device. Disabling AUTO RUN is not effective in stopping Downadup.
You ARE AT RISK if you use Windows XP or Windows Vista, especially if you do not have Auto Updates on, or update frequently via manual updating. Downadup can mask itself and you may not even know you are infected. Once it infiltrates your system, it will edit your Windows Registry. After this is completed, the worm begins to override your firewall settings, allowing it to download malware from any number of hosts. This malware will only increase the damage to the PC. However, the creators of Downadup have yet to activate the second stage of the worm. Once they do, Downadup will do one of two things:
1). It will retrieve all your confidential files, personal information, passwords (online banking especially), and logins and send them to any numbers of hosts.
2). It will combine your PC into its botnet and attempt to hack (by brute force) anything it is targeted to. This is the fear of the Department of Homeland Security. With the current infection rate, it has the capability of hacking some of the most important data centers in the country if given the chance and enough time.
This worm is now being monitored by US-CERT as well as the FBI Cyber Crimes unit. They have moved this into a possible cyberterror attack, and they are quite serious about it. According to newly released figures, 1 in every 16 Windows XP/Vista PCs are infected with Downadup.
If you are not concerned about this virus, and do not take efforts to mitigate your risk of infection or to remove the worm if you are already infected, you may not only endanger your PC, but many others. The virus has a very advanced code, and can "mutate" to adapt to threats and increase its potency. The worm will spread from your PC to your friends, and it has a very high potential to destroy your life, enjoyment, and safety on the internet.
Here is information taken directly from Symantec regarding the method of infection of the worm (thanks to Symantec for the info):
http://www.symantec.com/security_res...408-99&tabid=2 (http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=2)
(the threat level is listed as low, because the article is dated from November when the first variations of the worm were spotted. Do not be fooled, it is not a minor threat anymore)
How can you stop this worm from affecting you? Good question, and here are the best methods.
Update your Windows install immediately. Do it manually. The worm actually disables Auto Updates, so, this will prevent reinfection.
Update your Anti Virus software, and be sure you are using a good antiviral software. Do this manually as well.
Run a FULL SYSTEM SCAN on your PC after updating your Anti Virus software library.
Disable System Restore (Windows XP users)
[U]To do this follow these steps:
Click Start, right-click My Computer, and then click Properties.
In the System Properties dialog box, click the System Restore tab.
Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
Click OK.
When you receive the following message, click Yes to confirm that you want to turn off System Restore:You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?
After a few moments, the System Properties dialog box closes.
You can also check your registry for the worm's entries:
Click Start > Run.
Type regedit
Click OK.
Navigate to and delete the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\netsvcs\Parameters\"ServiceDll" = "[PATH OF WORM EXECUTABLE]"
Exit the Registry Editor
Just because you do not have the registry key above, doesn't mean you are not infected. Keep that in mind. It may just not have reached that stage yet. You still need to do a FULL DEEP SCAN of your computer, including all your hard drives and your USB media.F-Secure has developed a tool to remove Downadup, but the above should also be used in conjunction with the tool. There is no one thing that makes you secure. It is using your logic, a good software suite, and even a router firewall to protect yourself.
HERE IS THE REMOVAL TOOL FROM F-SECURE (http://www.f-secure.com/weblog/archives/00001588.html)
For additional reading see these articles or Google search "Downadup" or "Conficker":
http://www.pcworld.com/businesscente...ry_16_pcs.html (http://www.pcworld.com/businesscenter/article/158085/downadup_worm_eats_into_1_of_every_16_pcs.html)
http://www.computerworld.com/action/...icleId=9126478 (http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9126478)
We at Guild Wars Guru take your PC security seriously, and this warning is not intended to scare you, but make you knowledgeable about a very serious situation. I am taking personal responsibility to inform as many guru users of this threat as possible. I would encourage you to inform your family and friends of this threat, and to direct them in testing and removing if necessary, Downadup from their systems and home networks.got linked to this from another forum, anyone else heard about this? is it a real threat or not?
http://www.guildwarsguru.com/forum/showpost.php?p=4459541&postcount=1
E: Seems legit.
Detailed in this post is extremely important regarding your PC's security. Recently, a very potent, and malicious worm [a type of virus] has been discovered. This worm goes by several aliases, including Downadup, Conficker, or Kido; most commonly known as Downadup or Conficker.
This isn't your typical virus or worm. It can mask itself as anything it sees fit, and can go directly into Root directories. Method of infection can be anything from an infected file you downloaded such as a WMV or MP3, or as sinister as plugging in your USB drive (if it was infected from a public location like the library or school/work) and Windows auto running the device. Disabling AUTO RUN is not effective in stopping Downadup.
You ARE AT RISK if you use Windows XP or Windows Vista, especially if you do not have Auto Updates on, or update frequently via manual updating. Downadup can mask itself and you may not even know you are infected. Once it infiltrates your system, it will edit your Windows Registry. After this is completed, the worm begins to override your firewall settings, allowing it to download malware from any number of hosts. This malware will only increase the damage to the PC. However, the creators of Downadup have yet to activate the second stage of the worm. Once they do, Downadup will do one of two things:
1). It will retrieve all your confidential files, personal information, passwords (online banking especially), and logins and send them to any numbers of hosts.
2). It will combine your PC into its botnet and attempt to hack (by brute force) anything it is targeted to. This is the fear of the Department of Homeland Security. With the current infection rate, it has the capability of hacking some of the most important data centers in the country if given the chance and enough time.
This worm is now being monitored by US-CERT as well as the FBI Cyber Crimes unit. They have moved this into a possible cyberterror attack, and they are quite serious about it. According to newly released figures, 1 in every 16 Windows XP/Vista PCs are infected with Downadup.
If you are not concerned about this virus, and do not take efforts to mitigate your risk of infection or to remove the worm if you are already infected, you may not only endanger your PC, but many others. The virus has a very advanced code, and can "mutate" to adapt to threats and increase its potency. The worm will spread from your PC to your friends, and it has a very high potential to destroy your life, enjoyment, and safety on the internet.
Here is information taken directly from Symantec regarding the method of infection of the worm (thanks to Symantec for the info):
http://www.symantec.com/security_res...408-99&tabid=2 (http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=2)
(the threat level is listed as low, because the article is dated from November when the first variations of the worm were spotted. Do not be fooled, it is not a minor threat anymore)
How can you stop this worm from affecting you? Good question, and here are the best methods.
Update your Windows install immediately. Do it manually. The worm actually disables Auto Updates, so, this will prevent reinfection.
Update your Anti Virus software, and be sure you are using a good antiviral software. Do this manually as well.
Run a FULL SYSTEM SCAN on your PC after updating your Anti Virus software library.
Disable System Restore (Windows XP users)
[U]To do this follow these steps:
Click Start, right-click My Computer, and then click Properties.
In the System Properties dialog box, click the System Restore tab.
Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
Click OK.
When you receive the following message, click Yes to confirm that you want to turn off System Restore:You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?
After a few moments, the System Properties dialog box closes.
You can also check your registry for the worm's entries:
Click Start > Run.
Type regedit
Click OK.
Navigate to and delete the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\netsvcs\Parameters\"ServiceDll" = "[PATH OF WORM EXECUTABLE]"
Exit the Registry Editor
Just because you do not have the registry key above, doesn't mean you are not infected. Keep that in mind. It may just not have reached that stage yet. You still need to do a FULL DEEP SCAN of your computer, including all your hard drives and your USB media.F-Secure has developed a tool to remove Downadup, but the above should also be used in conjunction with the tool. There is no one thing that makes you secure. It is using your logic, a good software suite, and even a router firewall to protect yourself.
HERE IS THE REMOVAL TOOL FROM F-SECURE (http://www.f-secure.com/weblog/archives/00001588.html)
For additional reading see these articles or Google search "Downadup" or "Conficker":
http://www.pcworld.com/businesscente...ry_16_pcs.html (http://www.pcworld.com/businesscenter/article/158085/downadup_worm_eats_into_1_of_every_16_pcs.html)
http://www.computerworld.com/action/...icleId=9126478 (http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9126478)
We at Guild Wars Guru take your PC security seriously, and this warning is not intended to scare you, but make you knowledgeable about a very serious situation. I am taking personal responsibility to inform as many guru users of this threat as possible. I would encourage you to inform your family and friends of this threat, and to direct them in testing and removing if necessary, Downadup from their systems and home networks.got linked to this from another forum, anyone else heard about this? is it a real threat or not?
http://www.guildwarsguru.com/forum/showpost.php?p=4459541&postcount=1
E: Seems legit.