Friday, March 27, 2009

April 1st Confickr Worm Threat

** Critical Notice **

April 1st Confickr Worm Threat

Next Wednesday – April Fools' Day – millions of computers that have already been infected by the Confickr worm, also known as "bots", will be used to receive orders from controlling machines and possibly leveraged in malicious activity. Once these orders are received, the infected computers may be used to send out malware, e–mail scams/spam, viruses, or may even be used to steal information from the affected host. The computer must already be infected by the Confickr worm in order for it to be used in this potential threat that is to occur on April 1st.

If you are unsure if your Windows machine is infected by the Confickr worm, please use an anti–virus to scan your machine. Anti–virus signatures to detect Confickr worm activity are available.

** Please note, Windows machines that are patched with the MS08–067 update are not affected by this threat. This patch was released October 2008**

The Confickr worm (aka DownAdUp/DownUp/Kido) spreads itself primarily via a buffer overflow vulnerability in the Server Service on Windows based computers. The worm uses a specially crafted RPC request to execute its coding on the target computer. Once the worm is executed on the system, it disables a number of system services such as Windows Automatic Updates, Windows Security Center, Windows Defender, Windows Error Reporting, or possibly other anti–malware/virus protection programs. The worm also receives orders from a main server that can tell the worm to download more malware, steal information, or spread to other systems. Some of the system services/processes to which Confickr worm is known to attach are svchost.exe, explorer.exe, and services.exe.

** If you do not have the MS08–067 patch installed, it can be downloaded from Microsoft via the link below or by using Windows Update. If your Windows machine is infected by the Confickr worm you can download the Microsoft Removal tool below the Security Bulletin link. **

http://www.microsoft.com/technet/security/Bulletin/MS08–067.mspx

http://www.microsoft.com/security/malwareremove/default.mspx

It is important to note that propagation methods for this worm have been detectable on the network since October 2008, when the patch was released. Other potentially undetectable propagation methods include any writable media plugged into an infected system such as a USB drive.