CONFICKER VIRUS THREAT FOR WNDOWS VISTA AND WINDOWS 7: SECURITY EXPERTS PUZZLED

So you think that you have the latest security software to keep your pc or mac safe?well think again.The Conficker virus has opened a new can of worms for security experts , as low security networks, memory sticks, and PCs without current security updates are in grave danger of being severly damaged by the conflicker virus also known to be Downadup or Kido and was first discovered in October 2008.

Portable storage drives such as USB sticks infected with the virus trick users into installing the worm. According to security experts, a ‘social engineering trick’, which exploits the way humans think and act is said to be the biggest challenge that this virus puts before us. Even though the bogus option is marked as being in the category ‘Install or run program’, many users will see the familiar ‘Open folder to view files’ wording and icon that they click on it without thinking.

The "Autoplay" function in Vista and early versions of Windows 7 automatically searches for programs on removable drives.However, the virus hijacks this process, masquerading as a folder to be opened. When clicked, the worm installs itself.

How does the worm work? - Method of infection

Microsoft says that the worm works by searching for a Windows executable file called "services.exe" and then becomes part of that code.It then copies itself into the Windows system folder %Sysdir% as a random file of a type known as a "dll". It gives itself a 5-8 character name, such as piftoc.dll, and then modifies the Registry, which lists key Windows settings, to run the infected dll file as a service.

The virus attempts connections to one or more of the websites such as getmyip.org ,getmyip.co.uk ,checkip.dyndns.org to obtain the public ip address of the affected computer.As soon as the worm is up and running, it creates a HTTP server and then resets a machine's System Restore point (very hard to recover) and then downloads files from the hacker's web site.Later variants of w32/Confickerworm are using scheduled tasks and Autorun.inf file to replicate on to non vulnerable systems or to reinfect previously infected systems after they have been cleaned.

How does Conficker differ from other virus/worms?

Most malware download files from easily detectable malicious or attack sites, making them fairly easy to spot, and immediately shut down the file download.But the worm uses a complicated algorithm based on timestamps from websites such as google.com to generate hundreds of different domain names every day. Only one of these will actually be the site used to download the hackers' files,making it extremely difficult to trace the target site .

Impact and damage caused by the worm so far

It is estimated that a whopping 9.5m PCs are infected with this virus. Once the Conficker worm is executed in a pc, the downadup virus disables essential security services such as windows automatic updates,security center, defender and error reporting to name a few.Along with downloading and installing malware on your computer and gathering your personal data, the conflcker adheres or sticks itself to key windows processes like svchost.exe, explorer.exe.

Removal

It is of paramount that one should turn off autorun and autoplay features in your pcs to prevent the worm from gaining a foothold onto your syatem.Windows users are urged to download the KB958644 Security Update from Microsoft to mitigate the risk of infection.

Microsoft's amlicious software removal tool (KB890830) and f-secure malware removal tool are some of the software that are available to keep conficker at bay.Keeping your antivirus software updated regularly to keep track of the constantly evolving virus definitions is a good preventive measure that would go a long way to ensure safety to your pc.As they say' better safe than sorry'.

Source :--threats.blogspot.com