Wednesday, November 17, 2010

bench3

Protect Your PC From Worm:Win32/Conficker.B

Worm:Win32/Conficker.B may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.
Its Aliases
  • TA08-297A (other)
  • CVE-2008-4250 (other)
  • VU827267 (other)
  • Win32/Conficker.A (CA)
  • Mal/Conficker-A (Sophos)
  • Trojan.Win32.Agent.bccs (Kaspersky)
  • W32.Downadup.B (Symantec)
  • Confickr (other)
Alert Level: Severe
The name of this threat was derived by selecting fragments of the domain 'trafficconverter.biz', a string found in Worm:Win32/Conficker.A:
(fic)(con)(er) => (con)(fic)(+k)(er) => conficker
Worm:Win32/Conficker.B attempts to copy itself in the Windows system folder as a hidden DLL file using a random name. If the attempt fails, it may then attempt to copy itself with the same parameters in the following folders: 

%ProgramFiles%\Internet Explorer
%ProgramFiles%\Movie Maker 

It creates the following registry entry to ensure that its dropped copy is run every time Windows starts: 

Adds value: "<random string>"
With data: "rundll32.exe <system folder>\<malware file name>.dll,<malware parameters>"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 

It may also load itself as a service that is launched when the netsvcs group is loaded by the system file svchost.exe. 

It may also load itself as a fake service by registering itself under the following key:
HKLM\SYSTEM\CurrentControlSet\Services

Worm:Win32/Conficker.B is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products. 

Recommendations From Microsoft:

  • Users should apply the update referred to in  Security Bulletin MS08-067 immediately.
  • Users must ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords. 
  • Users must apply an update that changes the AutoPlay functionality in Windows to prevent this worm from spreading via USB drives. More information is available in the Microsoft Knowledgebase Article KB971029 


Network Shares with Weak Passwords
Worm:Win32/Conficker.B attempts to infect machines within the network. It then attempts to connect to the target machine using each user name and the following weak passwords. Read more To Know The List Of Weak Passwords:

bench3

About bench3 -

Haja Peer Mohamed H, Software Engineer by profession, Author, Founder and CEO of "bench3" you can connect with me on Twitter , Facebook and also onGoogle+

Subscribe to this Blog via Email :