By Daniel Armao, Security Advisor
Experts believe that the Conficker worm, which has infected millions of PCs, is programmed to change on April 1st 2009, dangerously increasing the number of domains that infected PCs contact to run an update program. This worm has not delivered a payload yet, but if it does, it could install spyware on the infected machines to steal financial information or conduct a denial of service attack against websites.
The Conficker worm, first discovered on October 2008, infects a PC through a vulnerability in the Windows Server service that was patched by Microsoft Windows security patch MS08-067. (Note that Mac operating systems are not at risk.) The worm tries to find connections to systems that are unprotected by the patch. When it infects a PC, it connects to a rogue web server that is controlled by the Conficker creators.
To protect yourself from Conficker:
· Make sure you update your PC with updates from Microsoft by using the automatic update feature. Network Administrators must make sure to get the latest security updates by Microsoft.
· USB drives may get infected by the Conficker worm if Autorun is not disabled. To prevent a USB infection, PC users can download a patch that allows the option to disable the Autorun functionality: http://support.microsoft.com/kb/967715
· Make sure your PC has active, updated security software and the latest virus signature definition updates to detect:
o In ZoneAlarm, click Antivirus on the left navigation bar, then click the Update Now button. (ZoneAlarm is set to receive virus signature updates several times a day—you can set them to happen hourly by going to the Antivirus panel and clicking Advanced Options.)
o To make sure your product is up-to-date, click Check for Updates on the main panel, lower left corner.
o A strong two-way firewall is also recommended, so a suite that includes a firewall and antivirus is ideal. (For example, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, or ZoneAlarm Extreme. Free trials are available.)
· Networks with weak passwords can also allow the Conficker worm to infect systems by the use of brute force software which is designed to guess short and simple passwords. To protect yourself, use long and complex passwords that have at least 6 characters, are unique, and include numbers, upper- case letters, and symbols.
Signs you may be infected with Conficker:
· Windows services are disabled—such as Automatic updates (in System Properties panel), Background Intelligent Transfer Service, and Error Reporting service (in System Properties).
· Some security-related web sites are blocked. This web page loads several of the security sites typically blocked – http://eyechart.sie.isc.org/ — so you can check it to see if you may be infected.
· You experience a slow response from network domain controllers (i.e., slow security authentication request responses)
· Your system restore points are deleted
REMOVAL INSTRUCTIONS FROM ZONELARM TEAM:
To detect and remove the Conficker worm:
· If you do not use ZoneAlarm, please check for removal details at the Web site for your security software.
· If you have ZoneAlarm, click Antivirus on the left navigation bar, then:
1. Click the Update Now button.
2. Click the Scan for Viruses/Spyware button.
3. If the scan results show a virus with any variation of the names conficker, kido or downadup, remove it immediately with our remover tool. Download tool.