Automated PC Solutions
VACM - Virus Alerts for the Common Man

  Your old boxes are worth CASH $$...   Click to learn more... 

 

  VACM How-To Movie:   Learn how to Remove Spyware from your PC for free (really!).   Click to Watch the video.  

***************************************************
* The Bottom Line...
***************************************************
Today's topic is a worm virus called Downandup, Downadup, Kido!, or Conficker (all aliases for the same virus). Estimates are that it now infects 1 in every 16 computers worldwide.

Until this blows over, best advice is to NOT be plugging your digital cameras and flash drives and USB drives and Firewire devices into anyone else's computers and then back into your own.  And when you plug in your camera or thumb drive or whatever, and Windows pops up a window asking what to do with the device, just close the window.  You will understand in a few moments.

The press report about Conficker:
NEW YORK (AP) - A computer virus that may leave Microsoft Windows users vulnerable to digital hijacking is spreading through companies in the U.S., Europe and Asia, already infecting close to 9 million machines, according to a private online security firm.

Conficker is a worm virus that has reportedly infected over 9 million computers in a very short time. It is one of the fastest spreading viruses we have seen in years. It reportedly infected about 3.5 million computers in its first 4 days. Conficker takes advantages of some Windows vulnerabilities that Microsoft became aware of in 2008. Microsoft fixed those Windows vulnerabilities and released security updates in October 2008. If your system is up to date with all MS security patches, Windows will prevent Conficker from running.  If your system(s) are not up to date with MS security patches, continue reading this article.

Downandup/Conficker spreads mostly through USB drives (flash drives, thumb drives) but can also be spread via CD, DVD, digital camera, external drives, Firewire devices and mapped network drives.

***************************************************
* How Bad Is Downandup/Conficker?
***************************************************
What Does Downandup do to your Windows computer?
Security experts are still unsure as to what exactly the Conficker payload is. Conficker may be a worm that alerts users to fake threats on their systems and then tries to sell them phony removal software (similar to the "Antivirus XP" attack).   Or, it could be that the virus authors are simply waiting for payment, or some such, before activating the Conficker payload (as in "botnet for rent"... ie- organized crime). It is quite possible that Conficker can steal account usernames and passwords and personal information in order to allow the attackers to steal money from victims. It is unknown for certain at this time. If there is a payload waiting to be awakened, Conficker has created one of the largest botnets ever and this botnet would be capable of inflicting unprecedented financial damage on its victims.

***************************************************
How Does Conficker/Downadup Work?
***************************************************
Conficker seems to primarily be delivered via infected USB drives. Infected systems will then infect all USB drives that get connected to the system and those infected USB thumb drives then, in turn, infect the next PC they are connected to. 

When you insert an infected USB thumb drive, the standard "autorun" window pops up.  If you click the default option to "Open folder to view files", your system becomes infected along with all other computers on your local network.

The autorun window that pops up contains a phony "Open folder to view files" entry that runs the virus instead of opening a folder to view your files.  If you click on this phony autorun option, the virus runs unfettered by all Windows security because you, the user, told it to run.  Conficker will then morph itself into different patterns to avoid antivirus detection and proceed to infect your entire office or home LAN (local area network). Because it morphs its code randomly, traditional, signature-based detection that antivirus software currently uses makes detection nearly impossible.

When you connect an external USB drive, Conficker uses a "social engineering" trick to fool YOU into running the virus and infecting your computer. Basically, Conficker modifies the way Windows "autorun" works when you plug in an external USB drive. The two screen shots below show how the autorun window looks when you plug in a USB device, insert a CD/DVD or map a network drive:

Notice the "Open folder to view files" option on the autorun menu. An infected USB drive would pop up an autorun dialog box that has two (2) entries for "Open folder to view files." One of those entries is the valid Windows-assigned option.  The other is the phony entry created by Conficker. If you click the phony entry (the default option), Conficker will install itself on your computer and then try to infect all machines on your local network.

The tricky part about how this works is that the phony "Open folder to view files" entry is the default selection that pops up when you plug in a USB drive. It appears quite normal and therefore fools most people into just clicking it, but that actually equates to YOU starting and running the virus. As far as Windows is concerned, you clicking the phony entry is like giving the virus permission to run and install itself on your computer. Once installed, the virus spreads very quickly via another flaw in Windows' networking system (patched in Oct 2008 by MS). Conficker can quickly infect an entire office or home network.

Many virus authorities have recommended that you disable Autorun to take care of the problem.  Microsoft's recommendations are incomplete and will not fully protect from Downandup/Conficker.  The problem is that Downandup/Conficker tries to spread using USB-based devices, typically flash drives, but also digital cameras and other USB storage devices. The worm creates an autorun.inf file at the root directory of any USB-based device that it finds connected to the infected machine.  Then, when that device is later connected to an uninfected computer, the autorun.inf file copies the worm to that machine without any action on the part of the user and without the user even knowing that this has happened.  If you disable Autorun as suggested by Microsoft, you could still get infected if you double-click the USB device's icon in Windows Explorer.  See below for a more complete solution provided by US-CERT (Computer Emergency Readiness Team).

***************************************************
* What You Should Do
***************************************************
The easiest way to avoid Conficker is to never use the AutoRun window that comes up when you connect a USB drive.  Simply close it and start whatever appropriate tool yourself for using that drive (ie- Windows Explorer to see the list of files or Media Player to play the audio or video on the drive, etc.). Avoiding the Autorun window does not completely guarantee that an infected USB device will not run its Autorun.INF file, however. Very experienced Windows users may want to find out how to completely disable Autorun from the US-CERT advisory that was prompted by the Downadup/Conficker alert.   However, disabling autorun will also prevent software installation CDs and DVDs from running automatically as well, making it more difficult for novice users install their new printer or camera or camcorder software, etc.  This is a prime example of how a Windows convenience feature by Microsoft (autorunning of CDs & DVDs to install software/drivers) has been used for spreading malware.

If you have kept current with your Windows Updates... you are protected because your system(s) are already immunized against Conficker/Downandup.  Microsoft's Windows Update for this issue has been available since October 2008.  Regardless, Downandup/Conficker continues to spread due to the number of systems that have not been patched (mostly large companies that have had to cut their IT budgets and have fallen behind in updating their Windows PCs).

If you have not kept your systems up to date with Windows' Automatic Updates... you are still vulnerable and/or you are infected and are spreading this virus with every USB/external storage device you connect to your system(s).

If you are infected with Conficker/Downandup... you should first try updating and running your antivirus software to do a full scan (ie- ALL files).  If this is unsuccessful, you will have to manually remove Conficker because of the clever ways it avoids antivirus detection. Conficker is very good at hiding from antivirus software because it constantly morphs itself into new, random patterns. Conficker can easily infect an entire local network very quickly once you are infected.   If your antivirus is unsuccessful in removing Conficker, you will have to remove the worm virus manually or seek help in doing so. Conficker Removal Instructions and Conficker Removal Tools are discussed in this article. See below.

***************************************************
Conficker Removal Instructions & Tools:
***************************************************
If you are not an experienced Windows user, you should seek help with the tools and instructions listed here.

Conficker/Downandup Removal Tools:

• Conficker Removal Tool from Finland-based F-Secure:  F-Downadup Specific tool with heuristics for Downadup worm variants
• FSMRT Non-specific detection tool, from Finland-based F-Secure (larger file size)

Note: these are both command line tools.  Read the text file included in the ZIP files for additional details.  Get help from an experienced user to run these tools.

Additional Info For Advanced Users:
The above utilities are beta tools.
You can use the following FTP location to determine the file dates of (hence, age of) the tools:
    * ftp://ftp.f-secure.com/anti-virus/tools/beta/

Removal Tool Scanning Options:
Downadup makes use of random file extensions in order to avoid detection. During disinfection, your scanning options should be set to: * Scan all files

Conficker/Downandup Manual Repair and Removal Instructions:

Microsoft Help and Support Knowledge Base Article 962007 provides details for manually removing the Conficker.B (alias Downadup, Downadup, Kido!)..

How To Completely Disable Autorun

The CORRECT Way To Disable AutoRun in Microsoft Windows

It has been suggested by many virus info sites that you use "XP Power Toys" to disable autorun in order to avoid being infected by Downandup/Conficker.  That advice is incomplete and not 100% effective.

Use these procedures to effectively disable AutoRun in Windows.

Store the following 3 lines in a text file named Fixer.REG: 

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

To create the Fixer.Reg file, do the following steps:

1. Copy the 3 lines above onto the Windows Clipboard (ie- highlight them and press CTRL+C)
2. Start Notepad and paste the text (press CTRL+V) into Windows Notepad
3. Save the file to your Desktop and name it Fixer.Reg
4. Close Notepad and minimize all windows so that you can see your Desktop
5. Double-click the Fixer.Reg file to import it into the Windows registry
6. Click OK on the message that says the file was imported successfully.  (If it does not say successful, go to step 1 again)
7. Reboot your computer to ensure that Windows does not autorun from its cache of mounted devices in the MountPoints2 registry key.

This procedure will disable all of the AutoRun code execution scenarios described in this article.  Windows will no longer parse Autorun.INF files to determine which actions to take. This means that software installation CDs and DVDs will no longer run automatically, unfortunately.