Thursday, April 02, 2009

Dig and Rid CONFICKER


Let's assume you're on the receiving end of the worst April Fool's Day joke of 2009: your computer's been infected with the Conficker virus. It's a frustrating but not insurmountable problem. This guide will walk you through how to cleanse your computer and inoculate against other Conficker variants.

First off, make sure that you are actually infected. There aren't many warning signs, but a few will stand out if you know what to look for. One fast way to check is to try to visit any major security software publisher's Web site. If you've cleared your browser cache beforehand, and you can load the sites of Symantec, Eset, Avira, or AVG, you're clean because Conficker blocks access to them.

Another good litmus test is to check on the status and functionality of Windows services such as Automatic Updates, the Background Intelligent Transfer Service, Windows Defender, and Error Reporting Services. If any of those have been disabled without your consent, or if your account lockout policies have changed without approval, you might be infected. Other warning signs include unusually high traffic on your local area network, and domain controllers responding slowly to client requests.

If you're running an up-to-date virus scanner, it's unlikely you'll get infected unless you've configured your computer to not receive automatic Windows updates. Checking your list of installed updates for security update MS08-067 (KB 958644) is not recommended because the worm, alternatively known as Kido, Downup, or Downadup, fakes the patch job.

Assuming you've got the virus, the next step is to download one of several free removal clients. The Conficker-specific tools are McAfee's Stinger, Eset's Win32/Conficker Worm Removal Tool, Symantec's W32.Downadup Removal Tool, and Sophos' Conficker Cleanup Tool.

Avira specifically mentions on their Web site that Antivir will prevent infection and remove the virus if you have it, although I don't have an infected machine to confirm this against. AVG states that AVG Free will protect you against the virus, but doesn't say if it can remove it once you've been infected.

If none of these programs work for you, Avira also offers Conficker-specific instructions on how to use their rescue CD to fix your computer. This requires a secondary computer so you can create the CD, if you haven't done so prior to infection.

It is strongly recommended that if you're infected and you have the luxury of a second machine, disconnect the infected computer from the Internet and install any repair programs or other fixes via CD or USB key.

One of the most common infection vectors for Conflicker and its ilk is the Windows AutoRun feature. Eset claims that one out of every 15 threats they detected in 2008 used autorun.inf. Unfortunately, disabling it is not as simple as you may think, because even when disabled through conventional means it still parses most of the autorun.inf file, instead of not reading it at all.

To disable it completely, users will need to copy the text below into Notepad. It should be one line from the left bracket to the final quotation mark.

REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\IniFileMapping\Autorun.inf]@="@SYS:DoesNotExist"

Save it as something memorable, such as StopAutoRun.REG. Double-click on the saved file, and you close the AutoRun loophole. You also won't be able to automatically play DVDs just by putting them in the disc drive, but that seems a reasonable price to pay for slamming the door on this gaping security flaw.

Once you've gotten your computer clean and killed off the AutoRun feature, there's still more to do. These changes, however, are behavioral. Stay on top of Windows security updates from Microsoft, do not under any circumstances click on any Web-based ''free virus scan'' offers, and make sure you're not only running a reputable security suite, but that it's configured for daily virus definition file updates.

Source : http://download.cnet.com/8301-2007_4-10208734-12.html?part=rss&subj=news&tag=2547-1_3-0-20

No comments:

Powered By Blogger