Our entire work was infected by this gate crasher and leave our servers vulnerable to downtime primarily because of RPC overflow. While most of us is enjoying the long vacation, this virus was having a party on our domain. The spread was due to failed auto update of our anti virus pattern. Here's an overview of the said worm:
Mal/Conficker-A
Win32/Conficker.A,W32.Downadup
Description
Win32/Conficker.A is a worm that exploits the MS08-067 vulnerability in order to spread. It may also download and execute various files.
Method of Infection
When executed, Win32/Conficker.A creates a copy of itself in the %System% directory with a random filename. The worm injects its code into the "services.exe" process to keep itself memory resident and difficult to cleanup.
Method of Distribution
Win32/Conficker.A exploits MS08-067, the Microsoft server service vulnerability, in order to propagate
Backdoor Functionality
Win32/Conficker.A starts a HTTP server on the affected system by opening a random port. This allows a copy of the worm to be downloaded by target systems.
For more detailed virus info you can visit
http://www.trendmicro.com/vinfo/fr/virusencyclo/default5.asp?VName=WORM_DOWNAD.AD
Solution
Currently there is no one click fix to cure the infected machine, but we manage to formulate an effective manual steps to permanently remove the worm from our systems.
1. Patch the machines with Security Update for windows (KB958644) to address MS08-067 vulnerability
2. Kill the memory resident worm current injected on "svchost.exe -k netsvcs" process or run on Safe Mode.
*You can locate the worm using process explorer by sysinternals. Look for suspecting service on the service tab.
3. Restart the computer and do complete scan using updated virus pattern.
0 comments:
Post a Comment