Alert: April 1 Virus aka Conficker.C

[wige]

I haven't seen this mentioned yet, and thought I would post some information in case you have not heard about this yet. There is a lot of talk currently about a worm commonly called April 1 Virus, officially known as:

Net-Worm.Win32.Kido
Worm:W32/Downadup.gen (F-Secure)
Worm:Win32/Conficker (Microsoft)
Mal/Conficker (Sophos)
W32/Conficker.worm.gen (Symantec)

The most commonly discussed aspect of this worm is that its purpose is not currently known. The program belongs to a newer class of self updating software, with features that make it hard for researchers to determine it's true purpose. At this time, all that is known for sure is that the virus is hard coded to download a patch on April 1, which is expected to contain at the very least extensive hardening instructions to make removal from already infected machines much more difficult. In addition, new infection methods, botnet functionality and more may be added. It is also expected that the virus will disable Windows and anti-virus updates.

Update: F-Secure has reported that Conficker.C does disable installation of several common anti-virus products.

This worm is highly communicable, using a variety of exploits to target Windows XP and Windows Vista computers. The most common source of infection is through visiting hacked websites or downloading infected software or plugins. However, this software also exploits Windows Networking technologies to infect any unprotected computer on the same local network.

There are several common sense preventative steps that should be taken to prevent infection. The first step is to ensure that your version of Windows is up to date. Microsoft has patched the vulnerability, and has updated their malware removal tools to detect and attempt removal of the malware. It is also essential that computers have strong 2-way software firewalls installed. (Windows Firewall is a 1-way firewall) These firewalls will not only prevent the spread of Conficker on internal networks, they will also prevent the dial-out and update functionality of the virus. Additionally, it is essential that anti-virus be installed and up to date.

Expected and Projected Activity on April 1
The architecture of Conficker.C indicates that on April 1, each computer will attempt to contact over fifty thousand domains. This is an attempt to disguise the "home" domain and prevent security countermeasures. One of these domains will go live and make available and update to the virus containing additional instructions for the software.

It is possible internal networks that have been infected will experience network slowdowns from the increased traffic. Spikes in traffic may make it easier to identify infected systems; however, those infected systems will likely be harder to clean after the update.

Sporadic DNS outages may be possible as infected computers make repeated requests for thousands of domains. Alternate DNS server information should be available for failover if possible.

What to do if you are infected?
The following sites have information about the virus as well as removal information.

• F-Secure - Information and removal instructions
• Symantec - General information and removal instructions
• Microsoft - Extensive information for IT personnel.

I will be posting more information on my blog as it becomes available.

[wige]

Earlier today, the US Department of Homeland Security and the US Computer Emergency Readiness Team released a network-level scanner intended to detect systems infected with the Conficker worm and it's variants.

This utility is differentiated from Microsoft's scanner, and tools from other providers which scan the host computer for infection, in that it will scan the entire network for infected systems. Developed for coporate, government and military use, this utility may not be ideal for small business and home networks. However, larger networks may benefit from the centralized scan capabilities.

Information about this utility can be found at the Department of Homeland Security web site: DHS: DHS Releases Conficker/Downadup Computer Worm Detection Tool