Still

Jan 23, 2009 21:11 GMT  ·  By

The nasty Conficker worm, which comes in two flavors - Worm:Win32/Conficker.A and Worm:Win32/Conficker.B, is still lurking Windows 7 Beta, Windows Vista Service Pack 1 and Windows XP SP3 machines, but also releases of the Windows Server family, including Windows Server 2008 R2. The piece of malicious code has become associated with the Critical vulnerability in Windows Server Service patched via the MS08-067 security bulletin that was dropped back in October 2008, now just for the supported versions of the Windows operating systems, but also for Windows 7 (pre-beta at that time). Even at this point in time, the Redmond company warned that users running unpatched copies of Windows are exposing themselves to a high degree of risk.

At the same time, even users with patched Windows operating systems, following the deployment of MS08-067 continue to be at risk because of the diversified vectors of attack used by Conficker. This because the original malware, Worm:Win32/Conficker.A, reported on November 21, 2008, evolved past spreading exclusively via exploits targeting the vulnerabilities patched by MS08-067. Worm:Win32/Conficker.B (which was reported on December 29, 2008) has a new propagation model with additional avenues of attack.

“1. It attempts to infect other computers on the network by exploiting MS08-067,” revealed Ziv Mador, from the Microsoft Malware Protection Center, adding that “2. It attempts to copy itself to the ADMIN$ share of the target machine, which is the Windows folder by default. First it tries using the credentials of the currently logged on user. This method would work well in environments where the same user account is used for different computers on the network, and as long as that account has administrative rights. 3. It copies itself to removable media such as USB drives and other portable storage. It adds an INF file so that when the removable media is used, the AutoPlay dialog will show one additional option.”

According to Panda Security, Conficker has so far managed to infect no less than one in every 16 PCs worldwide. In addition to the update for the security vulnerability in Windows Server Service, Microsoft has also updated the Malicious Software Removal Tool, tweaking the January release of the solution to fight Conficker. The Malicious Software Removal Tool is a free download made available by the Redmond company to detect and remove specific malicious software.

“Conficker also makes several configuration changes so that it runs every time Windows starts. Specifically it adds itself as a service and also adds a registry value under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. It also terminates various services which should be re-enabled and more information is available here. Similarly, Worm:Win32/Conficker.B attempts to terminate any process which has a name which seems to indicate that it is an antivirus program or other security software. It also blocks access to the web sites of many antivirus and security vendors and to Windows Update,” Mador added.

Microsoft advised Windows users to deploy MS08-067 as soon as possible, while making sure that they use proper antivirus products capable of handling Conficker. In addition, the company indicates that strong passwords for any file share are a must. And last, but not least, Microsoft warned users not to fall for the malicious Autoplay trick of the worm, which functions even on Windows 7 Beta Build 7000.

Microsoft Malicious Software Removal Tool is available for download here.