US-CERT - Conficker Worm

National Cyber Alert System - Cyber Security Alert SA09-088A

Conficker Worm Targets Microsoft Windows Systems

Original release date: March 29, 2009

Last revised: March 30, 2009

Source: US-CERT

Systems Affected

Microsoft Windows

Overview

US-CERT is aware of public reports indicating a widespread infection of the Conficker/Downadup worm, which can infect a Microsoft Windows system from a thumb drive, a network share, or directly across a corporate network, if the network servers are not patched with the MS08-067 patch from Microsoft.

Solution:

Instructions, support and more information on how to manually remove a Conficker/Downadup infection from a system have been published by major security vendors. Please see below for a few of those sites. Each of these vendors offers free tools that can verify the presence of a Conficker/Downadup infection and remove the worm:

Symantec:

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99

Microsoft:

Microsoft PC Safety hotline at 1-866-PCSAFETY, for assistance.

US-CERT encourages users to prevent a Conficker/Downadup infection by ensuring all systems have up-to-date anti-virus software, the MS08-067 patch, and disable the AutoRun function in Windows: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Disable AutoRun functionality: http://www.us-cert.gov/cas/techalerts/TA09-020A.html

Description

Home users can apply a simple test for the presence of a Conficker/Downadup infection on their home computers. The presence of a Conficker/Downadup infection may be detected if a user is unable to surf to their security solution website or if they are unable to connect to the websites, by downloading detection/removal tools available free from those sites:

If a user is unable to reach any of these websites, it may indicate a Conficker/Downadup infection. The most recent variant of Conficker/Downadup interferes with queries for these sites, preventing a user from visiting them. If a Conficker/Downadup infection is suspected, the system or computer should be removed from the network or unplugged from the Internet - in the case for home users.

References

Microsoft Windows Malicious Software Removal Tool -

http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356

Microsoft Updates Website -

http://update.microsoft.com/microsoftupdate/

US-CERT Technical Cyber Security Alert TA09-088A -

http://www.us-cert.gov/cas/techalerts/TA09-088A.html

Virus alert about the Win32/Conficker.B worm -

http://support.microsoft.com/kb/962007

The Conficker Worm -

http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm

W32/Conficker.worm -

http://us.mcafee.com/root/campaign.asp?cid=54857

Microsoft Automatic Updates -

http://www.microsoft.com/windows/downloads/windowsupdate/automaticupdate.mspx

The most recent version of this document can be found at:

http://www.us-cert.gov/cas/alerts/SA09-088A.html

Revision History

March 29, 2009: Initial release

March 30, 2009: Included additional details

News & Events

Several new blog posts

October 11th, 2011

We have recently added some new posts to our blog. http://blog.meganet.net

Hurricane Irene

August 25th, 2011

We recently posted a summary of hurricane preparedness on our blog site http://blog.meganet.net/blog/2011/08/hurricane-irene/

Phishing Email Alert

June 5th, 2011

On Saturday, June 4th, customers may have received an e-mail claiming to be from MegaNet/Cape.com. This e-mail requested information such as a username, password, date of birth, and country where you reside. Please be advised that this message was a phishing scam and was not from MegaNet/Cape.com.

US-CERT - Conficker Worm

Conficker Worm Targets Microsoft Windows Systems

News & Events

Several new blog posts

Read More

Hurricane Irene

Read More

Phishing Email Alert

Read More

509 Falmouth Road, Mashpee, MA • 508-539-9500