Conficker is Stirring - Check Here 2-C If U Have It
Just because you don't see anything doesn't mean it is not there logging your keystrokes and stealing your passwords.
This is a quote from Warrior Paul Myers TalkBizNewz received today. (Thank you again Paul)
Conficker, considered to be potentially one of the nastiest
worms to hit the Internet in quite a while, has finally woken
up. It's downloading updates, which security analysts suspect
to be keyloggers or other code designed to steal information
from infected machines.
To see if your machine is infected, go to
Conficker Eye Chart
It's an extremely simple test. Load the page and see if you get
all 6 pictures. If you do, you're unlikely to be infected. The
explanation is VERY short, and included on the page.
Feel free to pass that URL around to anyone you like. The more
people know if their systems are infected, the better.
If you find that you're are likely to have the worm on your
machine, immediately disconnect from the Internet. Find a
machine that isn't infected, and get a copy of Microsoft's
Malicious Software Removal Tool.
http://www.microsoft.com/security/malwareremove/
Do not reconnect to the Internet until you've run that on the
infected machine.
===============================================
Experts' first guesses as Conficker drops mystery payload
Friday April 10 2009 - 07:51am
The super worm has stirred, updating itself by P2P to deliver a heavily-encrypted file to infected PCs.
It may have been an April 1 no-show, but Conficker is finally phoning home.
Antivirus software companies have begun to detect the worm updating itself via the rogue peer-to-peer (P2P) network or "bot-net" it has created for itself over the internet as it spreads, allowing it to "phone home" from infected PCs.
One security company, Trend Micro, says Conficker first stirred on Wednesday NZ time.
The awakened Conficker's first action is to try to contact a bevy of mainstream sites - MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com - to check if its infected host is connected to the internet. If it is, it phones home to receive a mystery payload.
The 117KB file is delivered into a temp folder on machines infected with the "C" strain of the virus (Trend has chosen to call the update a new variant of the worm, and called it Worm_downad.E, derived from the virus's alternative name, Downadup).
A keystroke logger?
Heavy encryption makes the file difficult to immediately analyse.
Like others, Trend is still working on the mystery file. But in an update on its website, the company speculates that it could be a key logger - a piece of software designed to stealthily record strokes on a victim's keyboard, the better to steal passwords and other personal details that might let a hacker access a bank account.
Just $49!
A second antivirus maker, Kaspersky, says the Conficker update has delivered a fake antivirus program. A pop-up window will appear asking the victim to buy the so-called antivirus software for $49. This could be a way of directly grabbing money from the victim or collecting their credit card details to sell or use elsewhere. If so, it would be something of an anti-climax. Such "malvertisements", are a dime a dozen on the internet.
It also seems from Trends' initial analysis that the update tries to make contact with a server known to be infected with a second piece of malware, called Waledoc, from which it attempts to receive a second encrypted file.
A May 3 disappearing act
Trend finds that the Conficker update attempts to hide its tracks, deleting entries in the Windows Registry, among other measures.
More curiously, the update seems set to switch itself off on May 3.
Why? Like everything else related to Conficker, it remains a mystery.
As ever, the best defence against Conficker is to keep your antivirus software up-to-date, and install Microsoft's patch.
Paul Turner
Patricia Brucoli
Plug-In Profit Site Helpdesk
Paul Turner
Patricia Brucoli
Plug-In Profit Site Helpdesk
Paul Turner
Patricia Brucoli
Plug-In Profit Site Helpdesk