Reefscape
03-19-2009, 5:06 PM
Taken from....
http://www.securitypronews.com/insiderreports/insider/spn-49-20090319WormSetForAprilFoolsDayLaunch.html
Security researchers have sent out notice about a worm set to hit the wild on April 1, making the situation no laughing matter. Conficker.C, the latest variant of Conficker.A and Conficker.B-both of which have been shut down by some crafty reverse engineering-isn't quite as nasty as its predecessors, in the same way Lil Kim isn't quite as nasty as 2 Live Crew.
If you got that joke, you're getting old.
Researchers at CA (http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=77976)(Computer Associates) haven't been successful in shutting down this newest variant, but have looked at the code to discover it is set to launch itself en masse on April Fools Day. But we're guessing it won't be a trick.
What makes this worm particularly nasty is the way it disables everything on a computer designed to fight it. Like HIV in humans, it attacks the computer's immune systems. It blocks security-related websites, especially from Microsoft. It terminates system security services like Security Center, Windows Defender, Automatic Updates, Background Intelligent Transfer Service, Error Reporting Service, and Windows Error Reporting Service. It copies itself into Windows NT, Windows Media Player, Internet Explorer, and Movie Maker directories.
Conficker.C resets all system restore points, deletes any saved system restore points, downloads component files using time-based generated URLs, generates 50,000 URLs and reports back to 500 of them. It sets read only, hidden and system file attributes, generates a file creation/access time-stamp based on "kernel132.dll, creates access control entries, and exclusively locks files to restrict access and privileges and to prevent removal.
Pretty nasty, right?
Other security companies have labeled this same worm Win32/Conficker.D (MS OneCare), W32/Confick-G (Sophos), and Trojan.Win32.Pakes.ngs (Kapersky). If you've got it on your machine the only way you might know is if your computer suddenly accesses one of several popular sites like Ask.com, Baidu, Facebook, Google, Imageshack.us, rapidshare.com, W3.org, or Yahoo. This is how the worm tests for Internet connectivity.
http://www.securitypronews.com/insiderreports/insider/spn-49-20090319WormSetForAprilFoolsDayLaunch.html
Security researchers have sent out notice about a worm set to hit the wild on April 1, making the situation no laughing matter. Conficker.C, the latest variant of Conficker.A and Conficker.B-both of which have been shut down by some crafty reverse engineering-isn't quite as nasty as its predecessors, in the same way Lil Kim isn't quite as nasty as 2 Live Crew.
If you got that joke, you're getting old.
Researchers at CA (http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=77976)(Computer Associates) haven't been successful in shutting down this newest variant, but have looked at the code to discover it is set to launch itself en masse on April Fools Day. But we're guessing it won't be a trick.
What makes this worm particularly nasty is the way it disables everything on a computer designed to fight it. Like HIV in humans, it attacks the computer's immune systems. It blocks security-related websites, especially from Microsoft. It terminates system security services like Security Center, Windows Defender, Automatic Updates, Background Intelligent Transfer Service, Error Reporting Service, and Windows Error Reporting Service. It copies itself into Windows NT, Windows Media Player, Internet Explorer, and Movie Maker directories.
Conficker.C resets all system restore points, deletes any saved system restore points, downloads component files using time-based generated URLs, generates 50,000 URLs and reports back to 500 of them. It sets read only, hidden and system file attributes, generates a file creation/access time-stamp based on "kernel132.dll, creates access control entries, and exclusively locks files to restrict access and privileges and to prevent removal.
Pretty nasty, right?
Other security companies have labeled this same worm Win32/Conficker.D (MS OneCare), W32/Confick-G (Sophos), and Trojan.Win32.Pakes.ngs (Kapersky). If you've got it on your machine the only way you might know is if your computer suddenly accesses one of several popular sites like Ask.com, Baidu, Facebook, Google, Imageshack.us, rapidshare.com, W3.org, or Yahoo. This is how the worm tests for Internet connectivity.