By Daniel Armao, Security Advisor
Experts believe that the Conficker worm, which has infected millions of PCs, is programmed to change on April 1st 2009, dangerously increasing the number of domains that infected PCs contact to run an update program. This worm has not delivered a payload yet, but if it does, it could install spyware on the infected machines to steal financial information or conduct a denial of service attack against websites.
The Conficker worm, first discovered on October 2008, infects a PC through a vulnerability in the Windows Server service that was patched by Microsoft Windows security patch MS08-067. (Note that Mac operating systems are not at risk.) The worm tries to find connections to systems that are unprotected by the patch. When it infects a PC, it connects to a rogue web server that is controlled by the Conficker creators.
To protect yourself from Conficker:
· Make sure you update your PC with updates from Microsoft by using the automatic update feature. Network Administrators must make sure to get the latest security updates by Microsoft.
· USB drives may get infected by the Conficker worm if Autorun is not disabled. To prevent a USB infection, PC users can download a patch that allows the option to disable the Autorun functionality: http://support.microsoft.com/kb/967715
· Make sure your PC has active, updated security software and the latest virus signature definition updates to detect:
o In ZoneAlarm, click Antivirus on the left navigation bar, then click the Update Now button. (ZoneAlarm is set to receive virus signature updates several times a day—you can set them to happen hourly by going to the Antivirus panel and clicking Advanced Options.)
o To make sure your product is up-to-date, click Check for Updates on the main panel, lower left corner.
o A strong two-way firewall is also recommended, so a suite that includes a firewall and antivirus is ideal. (For example, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, or ZoneAlarm Extreme. Free trials are available.)
· Networks with weak passwords can also allow the Conficker worm to infect systems by the use of brute force software which is designed to guess short and simple passwords. To protect yourself, use long and complex passwords that have at least 6 characters, are unique, and include numbers, upper- case letters, and symbols.
Signs you may be infected with Conficker:
· Windows services are disabled—such as Automatic updates (in System Properties panel), Background Intelligent Transfer Service, and Error Reporting service (in System Properties).
· Some security-related web sites are blocked. This web page loads several of the security sites typically blocked – http://eyechart.sie.isc.org/ — so you can check it to see if you may be infected.
· You experience a slow response from network domain controllers (i.e., slow security authentication request responses)
· Your system restore points are deleted
REMOVAL INSTRUCTIONS FROM ZONELARM TEAM:
To detect and remove the Conficker worm:
· If you do not use ZoneAlarm, please check for removal details at the Web site for your security software.
· If you have ZoneAlarm, click Antivirus on the left navigation bar, then:
1. Click the Update Now button.
2. Click the Scan for Viruses/Spyware button.
3. If the scan results show a virus with any variation of the names conficker, kido or downadup, remove it immediately with our remover tool. Download tool.
Lastest Zonealarm patch. 035 or something I downloaded yesterday gave my poor computer palsy. Some zonealarm component tried and failed to initialize and then retried all the time. So the firewall didn’t work and the computer was all but frozen. Finally managed to uninstall the whole program and had to reinstall it again from an older update. I think I prefer the Conficker whatsit to that update.
Yes, last poster about patch 035, made my computer just weird.. first it shut down ZA and tried to reboot as an ordinary upgrade, but then after reboot, my pc went to hibernate and wouldn start.. it freezed and doesent even boot to windows. Secure F8 doesent help either bcs something blocked that.
My only soulution was to start XP with my CD and soft format and do a repair…
what is this.. is the patch not officiall or just a quick job from ZA wich isnt quite programmed from start? It almost ruin my computer…
I, too, had a similar problem to Mikael’s. I downloaded and installed the newest update and then I restarted the computer. When the computer came back up, Zone Alarm said it was initializing but was just stuck. I restarted again, same thing. I then tried to revert to an older installation, that was stuck too. Finally I tried installing the latest download again and it worked that time after I restarted.
My computer had a popup screen waiting for me this morning (4/2), ostensibly from Zone Alarm. It said Zone Alarm had some new update to further combat Conficker. I was suspicious and told it to wait one day to remind me again (I couldn’t just “x” out of the popup). Then I opened Zone Alarm and asked it to go get latest updates. It said I already had the latest updates. Anybody know if this popup was Conficker and I have a problem, or was it just belt-and-suspenders safety that really was from Zone Alarm?
what i did to my zonealarm. i uninstalled zonealarm. downloaded the patch and installed it 0.35 patch again. so far so good for my computer.
I always turn off automatic updates, and instead of ‘manually’ getting them, I just go to the website (for ZA Internet Security Suite) and look for any updates and download them directly from there. I also got that notification for an automatic update and got suspicious because it (ZA) never asks me. So, I just told it to remind me in 1 day and instead just updated my anti-virus and anti-spam. The message never came back today. But the bottom line is that something made it notify me. I have an ultra-secure machine, and don’t understand how this notice snuck in on me. However, I didn’t fall for it as the folks up above apparently did.
Fall Schmall… If you click “Check for updates” in your program it pops up too. So most likely sloppy work. Don’t the Zonealarm folks check their own blog? I’d like to get a comment from them instead of paranoid internet users.
ZoneAlarm did indeed just push out a product update for Conficker—the pop-up notice from ZoneAlarm is real.
If you have any problems, please do not hesitate to contact Customer Service for download and licensing issues…
http://www.zonealarm.com/security/en-us/support/zonealarm-customer-service.htm
…or Technical Support for more complex issues:
http://www.zonealarm.com/security/en-us/support/technical-support.htm
i always love zonealarm products they totaly rule over anything i ever seen in my life ZoneAlarm keep up the good work ill be looking forward to more of your future products. keep them damn hackers viruses and threats out permanetly. give them hell!!!
I have to say that these 035 symptoms happened on my heavily protected system too. However it’s not the first time; the last update had the same effect which appeared to sort itself out after a few days, so here’s hoping. I found the (eventual) comment from the Support Team very unhelpful. How about sending a fix rather than expecting CUSTOMERS to e-mail them; better still, test the upgrades properly BEFORE they go out!
I’ve used Zone Alarm since it was first issued, but I am not a happy customer at the moment – I’ve spent two days trying to bypass this issue and am still trying to decide whether it will be necessary to re-format my disk and start all over again (another two days, probably)!
Dear Zonealarm,
I too have had problems with the Conflicker Download it blocks my broadband so have to use System Restore,Danny
To those blogging about problems converting to the conficker update we sent out, I’m sorry for the issues you ran into. You shouldn’t have to go through this bad experience, and we are working to address the issue. And that’s not a canned response – we actually have two developers investigating the updating issue that some of you experienced so we can fix it. My advice for those of you who have had issues: 1) Back up all of your settings from the Overview panel of ZoneAlarm. This creates an XML file with your settings. 2) When you install a new version of ZoneAlarm over an old version, choose the “clean install” option which will delete your previous settings. 3) After install, go back to the Overview panel and restore the XML file you’d saved previously to get your settings back.
Doing this should prevent the issue you had from recurring until we get this issue addressed later this year.
Thanks, and sorry again for the trouble we caused you.
it’s time for refunds and apologies zone alarm staff. I am being denied access to my own folders after installing your update for conficker. norton’s ain’t looking so bad now….
So, I’ve gone into the Overview Panel.
Is there a list of settings to backup? – No.
Is there an option to backup any settings wherever they are? – No.
So, question 1, how exactly should we back up these settings?
Question 2, how do we recover the settings which were screwed by the update?
Question 3, (and this is vital to me) how can I regain access to my local network shared resources now that Network Magic has been completely (and apparently permanently) disabled. I’ve tried everything I know (and I know quite a lot about networking) and still can’t get at my files and printers, or get Network Magic to repair its connection.
Still an unhappy customer
In the left nav bar, click “Preferences” under Overview. The Backup and the Restore settings functions are on the Overview > Preferences panel.
Support:
http://www.zonealarm.com/security/en-us/support/technical-support.htm
**You can get a link to free support through chat or email at the bottom of every knowledgebase article.**
This original blog post, and the link regarding the Conficker Worm on the ZoneAlarm home page, both were written before the update was pushed out. Yet, other than in the comments on this blog, there’s nowhere to learn anything about this update, which contradicts the information in the original blog post and the homepage link (i.e. that all you need to do is update from the antivirus update button in the program).
Why can’t ZoneAlarm provide up-to-date, consistent information?
The blog post was post was by a guest blogger (not an employee of ZoneAlarm).
The removal instructions added to the blog post were written by ZoneAlarm while the update was being prepared. The update adds stronger conficker detection. The instructions provided tell you to update both your product AND your virus definitions.
I have similar problems after updating on April Fool Day – 1) vsmon starts, uses 60-90% of cpu and dies every 9-10 secs 2) hover mouse over tray icon and the message ‘Protection is up, UI is initializing’ appears 3) right-click on tray icon does nothing – no menu, no control panel. Tried to reload older version and the update said it could not proceed. Any later new s, ZoneALarm?
I have just now read these blogs after spending the last three days hard booting my computer a hundred times to regain control of my system. I too am not a happy camper! Especially after paying you plenty over the last several years for your internet security suites! I even e-mailed customer care and got an automatic response but no actual reply. Then I receive a disc in the mail with no explanation. You better improve, and real quick or I will be going elsewhere!
I have multiple ZA licenses on about 10 PC’s and I’ve already uninstalled ZA on various machines and installed Norton Internet Security. I have also been a ZA user right from the beginning, but lately, it’s just too much hassle to insist on something that doesn’t seem to get the job done. Sofar, Norton has been performing 100%.
I think that guy who is made this conficker virus is genius.
For the persons that are not sure about Zone Alarm listen up. I’ve used Norton AV Suite, Symantec Server edition, McAfee, and AVG IS Suite. With Norton (AKA Symantec also) neither would detect a test file unless I executed it. The same for AVG. McAfee worked pretty well with the Melissa Virus until they updated and spammed your screen trying to get you to buy products while you were offline. Zone Alarm my cause you a little grief but is by far the better product. If you have trouble installing or updating, look into doing a clean uninstall, reboot twice and reinstall. Saving your ZA configuration file prior to this may help. Worked for me…