Am I infected with the April 1st virus (Conficker C)?

Posted At : March 26, 2009 12:05 PM | Posted By : Administrator
Related Categories: Columns

What is the April 1st virus that everyone is talking about and how do I tell if I am infected?

- Kevin

A very stubborn Internet worm known as the Conficker (aka Downup, Downadup & Kido) has been in circulation since late 2008 and specifically targets most of Microsoft's operating systems.

The third generation of this pest is being labeled Conficker C and it is far more dubious than the previous two versions.

The primary intent of the Conficker worm family is to infect computers with an agent that will turn them into a 'zombie' on a large network of infected computers referred to as a botnet.

Botnets are a collection of compromised Internet connected computers that can be remotely controlled by a single computer referred to as the command and control center to act as a group.

Once infected, any computer on a botnet can be given instructions from the command center to perform whatever function the remote hacker desires, including sending spam, infecting other computers or tracking keystrokes for the purposes of ID theft.

Conficker C is especially disconcerting because it is specifically designed to bypass and disable hundreds of popular security programs and websites and it has a trigger date of April 1st with a yet unknown payload.

To make things worse, Conficker C is very good at hiding from you and your security programs and has code that allows it to 'evolve' its ability to be detected and removed.

One of the first things it will attempt to do is turn off the automatic updates in Windows because it is exploiting a known hole in Windows. If your computer has not been patched, Conficker can take advantage of the hole and make sure your system doesn't automatically download the patch by disabling your automatic updates.

To check if the automatic updates have been turned off, go to the Windows Control Panel and double click on the Security Center icon to get to the Automatic updates link.

If you find that your automatic updates have been turned off, it doesn't necessarily mean that you are infected, however, if you know that it was previously set to automatically update and now it's turned off, you would be wise to have a technically savvy person do a deeper evaluation of your computer.

The rest of the symptoms for detecting Conficker C requires a working knowledge of the Windows Registry and many of the anti-virus and security firms on the Internet have posted very detailed technical instructions for detection and removal (search Google for "Conficker C removal").

If you don't have a tech savvy resource available and are near any of our Data Doctors locations (www.datadoctors.com/locations), we provide free checkups to help those with concerns determine their computer's status.

One of the many ways that your system can get infected in the first place is from the usual suspects: e-mail attachments, rogue links in e-mails or on malicious websites and from downloading files from P2P networks such as Limewire and KaZaa, but a most recent exploit seems to be where many folks are getting infected.

The popularity of online video and especially YouTube has created a new trick for malware writers to get into your system. If you click on a link that presents itself as a video, but when you go to play the video you get an alert stating that you need to update your "Flash Player" or you need a new 'codec', the chances are real good that it's a trick.

If you routinely view online video and you are suddenly told you need something new to view online videos, especially from a no-name website, be suspicious.

If a message comes up saying you need a new version of the Flash Player, don't accept the file that the website offers as an update. Instead, go to http://get.adobe.com/flashplayer to install the latest version of the free video player, then go back and try viewing the video again.

If the same message comes up with a prompt to download an updated Flash Player, you will know it's a scam for sure.

In the same respects, if you get a message telling you that you need a new 'codec' to view a video, the safe response is to take a pass until someone technical you trust can see if you're video playback software is really that old.
Link to the original content.

Comments (10) | Print | Send | FaceBook | del.icio.us | Digg It! | 1519 Views
Comments
[Add Comment]
I'm surprised NO ONE has mentioned Symantec's removal tool for this worm. The general name for the worm is Conficker (for configuration f%cker) but it also has the synonymous name of Downadup. There's been three variants of the worm with the current version being C.
Here's the link for Symantec's removal too. Be sure to read and follow the instructions that go with it, such as disabling system restore and/or going into safe mode before you run the tool.

http://www.symantec.com/security_response/writeup....
# Posted By Jim in Arizona | 3/27/09 6:35 PM
I AM A SENIOR CITIZEN AND I WANT TO KNOW IF ITS BEST TO JUST UNPLUG MY ENTIRE UNIT AND/OR JUST NOT TURN IT ON AT ALL THAT DAY AND MAYBE FOR A WEEK.
# Posted By Ann | 3/27/09 6:35 PM
how do I findout if the worm is on my computers?
# Posted By Rick Webb | 3/27/09 6:39 PM
do we just not use our computer that day?
# Posted By Kandi | 3/27/09 6:40 PM
This is from the Symantec (virus removal software company) removal tool instruction page.
-------------------------------------------------------------

When the tool has finished running, you will see a message indicating whether the threat has infected the computer. The tool displays results similar to the following:

* Total number of the scanned files
* Number of deleted files
* Number of repaired files
* Number of terminated viral processes
* Number of fixed registry entries

What the tool does
The Removal Tool does the following:

* Terminates the associated processes
* Deletes the associated files
* Deletes the registry values added by the threat
-------------------------------------------------------------

Here's some more important info on the worm from Symantec's security response website.

http://www.datadoctors.com/help/columns/21709-Am-I...

In it, they state that as long as you're getting the most up to date windows patches via windows update, then you're already patched and protected against the worm.

The removal tool provided by Symantec will tell you if you are infected or not. There is no easy way to tell otherwise.

Here's the link for the removal tool.

http://www.symantec.com/security_response/writeup....
# Posted By Jim in Arizona | 3/27/09 6:55 PM
Ooops. Put in the wrong link above. Instead of the datadoctor's link, it was supposed to be:

http://www.symantec.com/norton/theme.jsp?themeid=c...

That is Symantec's webpage for info on the conficker C worm (the latest incarnation).
# Posted By Jim in Arizona | 3/27/09 6:58 PM
Does this worm cause my computer to go in sleep mode for leaving it
on and then when I move the mouse around it does not wake up unless I reboot
the computer. And also my aol has to be rebooted constanty.
# Posted By Regina | 3/27/09 7:06 PM
Actually, removing this from your local computer is not an issue - I followed the steps at http://www.downadup.com (like downloading the Microsoft patch, using a few free tools, etc). This is not rocket science, this is simply making sure your protections are in place.
# Posted By EddieC | 3/28/09 2:20 PM
Its been four days since my computer is out of use, after it is attaked with something i dont know what it is?
here is what happened: i just left my computer running and went to bed.
when i wake up in the morning there was a page asking me if i wanted to update for firefox 3 or something,
i ignored that message and start to connect on the internet but i couldnt ...and my desctop is competely different than before.
i tried a lot and i couldnt even move my cursor really well.. finally i turned off the computer and mannually removing all the batries and tried to reconnect
the next thing i found was ... a black screen which says
'" my windowscomputer is corrupt and if i wanted to fix it i needed to reinstall windows Rom/disc ...(i dont exactly remember)
and press R to reinstall"
I tried it didnt work
please give some advise on how to fix this problem ... is this the "Conficer C " worm doing this to my computer....
please help
Eyasu
# Posted By Eyasu | 3/28/09 7:38 PM
please help me. whenever i want to visit to any anti virus security website, my internet explorer shows " page cannot be displayed " or sometimes it closes down by itself , i mean suddenly before the site could open the
window dissappears , i just cant access to any security sites and my microsoft updates are also turned off ---please tell me am i infected with "CONFICKER C " ?????
can i remove it if i totally format my laptop ? please i need urget help ---- i am soo worried -- :-(
# Posted By cyrus | 5/9/09 4:57 PM
[Add Comment]
Site contents copyright 2004-2009 by Data Doctors Franchise Systems Inc. All rights reserved.