US-CERT Current Activity Conficker Worm Targets Microsoft Windows Systems Original release date: March 29, 2009 at 8:18 pm Last revised: April 9, 2009 at 6:44 pm UPDATE: Researchers have discovered a new variant of the Conficker Worm on April 9, 2009. This variant updates earlier infections via its peer to peer (P2P) network as well as resuming scan-and-infect activity against unpatched systems. Public reporting indicates that this variant attempts to download additional malicious code onto victim systems, possibly including copies of the Waledac Trojan, a spam-oriented malicious application which has previously propagated only via bogus email messages containing malicious links. US-CERT is aware of public reports indicating a widespread infection of the Conficker/Downadup worm, which can infect a Microsoft Windows system from a thumb drive, a network share, or directly across a corporate network, if the network servers are not patched with the MS08-067 patch from Microsoft. Home users can apply a simple test for the presence of a Conficker/Downadup infection on their home computers. The presence of a Conficker/Downadup infection may be detected if a user is unable to surf to their security solution website or if they are unable to connect to the websites, by downloading detection/removal tools available free from those sites: http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=u s_ghp_link_conficker_worm http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx http://www.mcafee.com If a user is unable to reach any of these websites, it may indicate a Conficker/Downadup infection. The most recent variant of Conficker/Downadup interferes with queries for these sites, preventing a user from visiting them. If a Conficker/Downadup infection is suspected, the system or computer should be removed from the network or unplugged from the Internet - in the case for home users. Instructions, support and more information on how to manually remove a Conficker/Downadup infection from a system have been published by major security vendors. Please see below for a few of those sites. Each of these vendors offers free tools that can verify the presence of a Conficker/Downadup infection and remove the worm: Symantec: http://www.symantec.com/business/security_response/writeup.jsp?docid=2 009-011316-0247-99 Microsoft: http://support.microsoft.com/kb/962007 http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx Microsoft PC Safety hotline at 1-866-PCSAFETY, for assistance. UPDATED: US-CERT encourages users to take the following preventative measures to help prevent a Conficker/Downadup infection: * Ensure all systems have the MS08-067 patch. * Disable AutoRun functionality. See US-CERT Technical Cyber Security Alert TA09-020A. * Maintain up-to-date antivirus software. * Do not follow unsolicited links and do not open unsolicited email messages. * Use caution when visiting untrusted websites. * Use caution when downloading and installing applications. * Obtain software applications and updates directly from the vendor's website. * Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams. * Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks. Relevant Url(s): <http://www.us-cert.gov/cas/tips/ST04-014.html> <http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx> <http://www.us-cert.gov/cas/techalerts/TA09-020A.html> <http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx> <http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99> <http://www.us-cert.gov/reading_room/emailscams_0905.pdf> <http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_ghp_link_conficker_worm> <http://www.mcafee.com/> <http://support.microsoft.com/kb/962007> ==== This entry is available at http://www.us-cert.gov/current/index.html#conficker_worm_information Produced 2009 by US-CERT, a government organization. Note: Posted according to copyright permissions of US-CERT (United States Computer Emergency Readiness Team) Purpose of Posting -- To help others keep their genealogy computers healthy.