Anti-Virus Apps
--
Questions
--
Followers
Top Experts
Conficker Virus
Tomorrow the Conficker Virus starts querying 50,000 random domains.
If your computer is configured to use a proxy and you are not able to get access to the Internet directly e.g., you have to go through the proxy to reach port 80 or 443.
Will conficker be able to make a connection to the Internet via the proxy? The analysis I have seen seems to indicate that the conficker code tries to make the connection itself, what is not clear is if the Microsoft API it uses to make the connection will automatically connect using the proxy details stored on the computer.
Thanks.
-Rowan
If your computer is configured to use a proxy and you are not able to get access to the Internet directly e.g., you have to go through the proxy to reach port 80 or 443.
Will conficker be able to make a connection to the Internet via the proxy? The analysis I have seen seems to indicate that the conficker code tries to make the connection itself, what is not clear is if the Microsoft API it uses to make the connection will automatically connect using the proxy details stored on the computer.
Thanks.
-Rowan
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
I have not been able to find anything that says it will use a proxy or that it is capable of using a proxy if the computer is configured for one.
Thanks please send the article.
Thanks please send the article.
This is this month's update about this worm. http://vil.nai.com/vil/con
http://www.microsoft.com/t
http://www.microsoft.com/t
Brief cut/paste (synopsis) here then the source link for more, which I find extremely top notch in terms of information and options:
Effect - Upon infection, the worm saves a copy of its DLL form to a random filename in the Windows system folder, then arranges to load itself thereafter at boot as a system service with a randomly-generated name.
The worm then resets System Restore points and disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting.[12] Processes matching a predefined list of antiviral, diagnostic or system patching tools are watched for and terminated.[13]
[edit] Symptoms Account lockout policies being reset automatically. Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Error Reporting Services disabled. Domain controllers responding slowly to client requests. System network becoming unusually congested. Websites related to antivirus software becoming inaccessible.[14]
http://en.wikipedia.org/wi
Listening when time permits with best wishes - Asta
Effect - Upon infection, the worm saves a copy of its DLL form to a random filename in the Windows system folder, then arranges to load itself thereafter at boot as a system service with a randomly-generated name.
The worm then resets System Restore points and disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting.[12] Processes matching a predefined list of antiviral, diagnostic or system patching tools are watched for and terminated.[13]
[edit] Symptoms Account lockout policies being reset automatically. Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Error Reporting Services disabled. Domain controllers responding slowly to client requests. System network becoming unusually congested. Websites related to antivirus software becoming inaccessible.[14]
http://en.wikipedia.org/wi
Listening when time permits with best wishes - Asta
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
No reference in any of that as to wether it can use a proxy server to reach its Internet Rendezvous Points.
I believe if a proxy is in place , this will stop most of the payload of this variant , as there is also a P2P connection between infected machines & they won't be able to communicate in this case, theoretically speaking you can pretty much wrap up or tunnel any traffic through a web proxy , but I do not believe the worm author(s) had those machines in mind when designing this worm, I would say it is an overkill , however due dilligence is due, updates should still be rolled out , Antivirus protection ,etc..
http://blogs.technet.com/mmpc/archive/2009/03/27/information-about-worm-win32-conficker-d.aspx
http://blogs.technet.com/mmpc/archive/2009/03/27/information-about-worm-win32-conficker-d.aspx
W32/Conficker.worm.gen.b - from - Since the last McAfee® Avert® Labs Security Advisory (March 27), the following noteworthy events have taken place:
McAfee product coverage has been updated for W32/Conficker.worm.gen.b.
From this source - cut/paste here:
Symptoms -
File, registry, and network communication referenced in the characteristics section.
Access to admin shares denied
Scheduled tasks being created
Access to security related web sites is blocked.
Method of Infection Method of Infection -
This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate. Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning. Upon detection of this worm the system should be rebooted to clean memory correctly. May require more that one reboot. Scheduled tasks have been seen to be created on the system to re-activate the worm.
Removal - Removal -
Users infected by W32/Conficker.worm should perform an On Demand Scan to remove remnants of the worm in memory using the latest DATs.
Upon detection of W32/Conficker!mem and REBOOT, the W32/Conficker.worm malware components will be removed.
Overview -
-- Update February 26, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.infopackets.com/news/security/2009/20090225_new_conficker_b++_worm_discovered_more_stealth.htm
-- Update February 26, 2009 --
A new variation of Conficker has been identified. In addition to some minor code optimizations this variant (sometimes referred to as Conficker B++ or Win32/Conficker.c) includes an additional backdoor service as well as some minor changes to the netapi32.dll patch that is applied after infection. The updated Conficker variant is detected by McAfee as W32/Conficker.worm.gen.b
This detection is for a worm that exploits the MS08-067 vulnerability that exists, in Microsoft Windows Server Service, which may allow for remote code execution. The flaw lies in the improper handling of specially-crafted (malicious) RPC requests.
Characteristics Characteristics -
When executed, the worm copies itself using a random name to the %Sysdir% folder.
(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)
It modifies the following registry key to create a randomly-named service on the affected syetem: HKEY_LOCAL_MACHINE\SYSTEM\
ServiceDll = "Path to worm"
HKEY_LOCAL_MACHINE\SYSTEM\
ImagePath = %SystemRoot%\system32\svch
Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer. hxxp://www.getmyip.org
hxxp://getmyip.co.uk
hxxp://checkip.dyndns.org
hxxp://whatsmyipaddress.co
Attempts to download a malware file from the remote website: (Rogue Russian site is up but not serving file anymore) hxxp://trafficconverter.bi
Adds an entry to the run key to load on system startup. HKEY_LOCAL_MACHINE\Softwar
rundll32.exe "%Malware Path%"/[Random]
HKEY_CURRENT_USER\Software
rundll32.exe "%Malware Path%"[Random]
Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.
Attempts to block access to various security related web sites in which the primary domains includes: ahnlab
arcabit
avas
avg
avira
avp
bit9
ca
castlecops
centralcommand
cert
clamav
comodo
computerassociates
cpsecure
drweb
emsisoft
esafe
eset
etrust
ewido
fortinet
f-prot
f-secure
gdata
grisoft
hacksoft
hauri
ikarus
jotti
k7computing
kaspersky
mcafee
microsoft
nai
networkassociates
nod32
norman
norton
panda
pctools
prevx
quickheal
rising
sans
securecomputing
sophos
spamhaus
sunbelt
symantec
threatexpert
trendmicro
vet
wilderssecurity
windowsupdate
Creates a Windows scheduled tasks to load itself using rundll32
Starts a HTTP server on a random port on the infected machine to host a copy of the worm.
Source for more - http://vil.nai.com/vil/con
McAfee product coverage has been updated for W32/Conficker.worm.gen.b.
From this source - cut/paste here:
Symptoms -
File, registry, and network communication referenced in the characteristics section.
Access to admin shares denied
Scheduled tasks being created
Access to security related web sites is blocked.
Method of Infection Method of Infection -
This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate. Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning. Upon detection of this worm the system should be rebooted to clean memory correctly. May require more that one reboot. Scheduled tasks have been seen to be created on the system to re-activate the worm.
Removal - Removal -
Users infected by W32/Conficker.worm should perform an On Demand Scan to remove remnants of the worm in memory using the latest DATs.
Upon detection of W32/Conficker!mem and REBOOT, the W32/Conficker.worm malware components will be removed.
Overview -
-- Update February 26, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.infopackets.com/news/security/2009/20090225_new_conficker_b++_worm_discovered_more_stealth.htm
-- Update February 26, 2009 --
A new variation of Conficker has been identified. In addition to some minor code optimizations this variant (sometimes referred to as Conficker B++ or Win32/Conficker.c) includes an additional backdoor service as well as some minor changes to the netapi32.dll patch that is applied after infection. The updated Conficker variant is detected by McAfee as W32/Conficker.worm.gen.b
This detection is for a worm that exploits the MS08-067 vulnerability that exists, in Microsoft Windows Server Service, which may allow for remote code execution. The flaw lies in the improper handling of specially-crafted (malicious) RPC requests.
Characteristics Characteristics -
When executed, the worm copies itself using a random name to the %Sysdir% folder.
(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)
It modifies the following registry key to create a randomly-named service on the affected syetem: HKEY_LOCAL_MACHINE\SYSTEM\
ServiceDll = "Path to worm"
HKEY_LOCAL_MACHINE\SYSTEM\
ImagePath = %SystemRoot%\system32\svch
Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer. hxxp://www.getmyip.org
hxxp://getmyip.co.uk
hxxp://checkip.dyndns.org
hxxp://whatsmyipaddress.co
Attempts to download a malware file from the remote website: (Rogue Russian site is up but not serving file anymore) hxxp://trafficconverter.bi
Adds an entry to the run key to load on system startup. HKEY_LOCAL_MACHINE\Softwar
rundll32.exe "%Malware Path%"/[Random]
HKEY_CURRENT_USER\Software
rundll32.exe "%Malware Path%"[Random]
Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.
Attempts to block access to various security related web sites in which the primary domains includes: ahnlab
arcabit
avas
avg
avira
avp
bit9
ca
castlecops
centralcommand
cert
clamav
comodo
computerassociates
cpsecure
drweb
emsisoft
esafe
eset
etrust
ewido
fortinet
f-prot
f-secure
gdata
grisoft
hacksoft
hauri
ikarus
jotti
k7computing
kaspersky
mcafee
microsoft
nai
networkassociates
nod32
norman
norton
panda
pctools
prevx
quickheal
rising
sans
securecomputing
sophos
spamhaus
sunbelt
symantec
threatexpert
trendmicro
vet
wilderssecurity
windowsupdate
Creates a Windows scheduled tasks to load itself using rundll32
Starts a HTTP server on a random port on the infected machine to host a copy of the worm.
Source for more - http://vil.nai.com/vil/con
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Anti-Virus Apps
--
Questions
--
Followers
Top Experts
Anti-virus software was originally developed to detect and remove computer viruses. However, with the proliferation of other kinds of malware, antivirus software started to provide protection from other computer threats. In particular, modern antivirus software can protect from malicious browser helper objects (BHOs), browser hijackers, ransomware, keyloggers, backdoors, rootkits, trojan horses, worms, malicious layered service providers (LSPs), dialers, fraud tools, adware and spyware. Some products also include protection from other computer threats, such as infected and malicious URLs, spam, scam and phishing attacks, online identity theft (privacy), online banking attacks, social engineering techniques, Advanced Persistent Threat (APT), botnets and DDoS attacks.