There’s been a lot of talk about how Conficker is going to create havoc on April 1. Conficker, formally named W32/Conficker.worm, began infecting systems at the end of 2008 by exploiting a vulnerability in Microsoft Windows. Since then McAfee has seen two more variants of this worm and many binaries – files ready to load into memory and execute – that carry the worm’s malicious payload. Conficker.C is the latest variant. Its “call-home protocol” will change on Wednesday, April 1, and may entail an update with some as-yet unknown functionality.
McAfee already offers protection from the Conficker worm in its endpoint and network products, and Microsoft has issued a security patch for the vulnerability that the Conficker family has used to propagate. Yet many computer users continue to worry about infection. The information below will help you understand more about the worm, the steps you can take to clean an infected system, and measures to prevent reinfection.
Symptoms of Conficker infection include the following:
Conficker.C is the most recent variant of the Conficker worm. Exposure to Conficker.C is limited to systems that are still infected with the earlier variants, Conficker.A and Conficker.B, which operate by exploiting the MS08-067 vulnerability in Microsoft Windows Server Service. If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. Conficker combats efforts at eradication by creating scheduled tasks and/or using autorun.inf files to reactivate itself.
McAfee has identified thousands of binaries that carry the Conficker payload. Depending on the specific variant, the worm may spread via LAN, WAN, web, or removable drives, and by exploiting weak passwords. Conficker disables several important system services and security products, and downloads arbitrary files. Computers infected with the worm become part of an “army” of compromised computers and could be used to launch attacks on websites, distribute spam, host phishing websites, or carry out other malicious activities.
We recommend customers take the following steps to remove W32/Conficker.worm and prevent it from spreading:
|McAfee VirusScan Plus
McAfee Internet Security
McAfee Total Protection
|The latest signature (DAT) files include detection and repair for this worm, if you have performed an update recently you are already covered.|
|ToPS Endpoint & ToPS Service||The signature (DAT) files include detection and repair for this worm
Buffer overflow protection in scan engine and Generic Buffer Overflow in host IPS are expected to cover code-execution exploits. Host IPS also includes signature for “Vulnerability in Server Service Could Allow Remote Code Execution” (CVE-2008-4250)
|Network Security Platform (IntruShield)||Includes coverage for “Microsoft Server Service Remote Code Execution Vulnerability"|
|McAfee Vulnerability Manager (VM)||Includes coverage for MS08-067. Identifies machines vulnerable to infection by Conficker as well as machines infected by Conficker C|
|McAfee Web Gateway (formerly Webwasher)||Includes signature to detect and block the worm at the gateway|
|McAfee SmartFilter||Provides categorization and reputation information for domains associated with the Conficker worm|
|McAfee Conficker Detection Tool||Identifies machines infected by Conficker.C|
Please contact your McAfee representative or channel partner with any questions – call us at 888.847.8766, 24 hours a day, seven days a week.