Saturday, January 24, 2009

Conficker ("Downadup") is nasty

My eldest son's computer contracted a nasty bit of malware a couple of weeks ago, which I had to remove manually (NONE of the antivirus software caught it). And believe me, tracking it down and removing it manually without knowing what it was was no easy thing. He's lucky I'm his dad, otherwise the repair could have been hugely expensive.

It was the "Conficker" worm, aka "Downadup".

Fortunately for everyone else, Microsoft has now added it to the Malicious Software Removal Tool. (MSRT). Here's their description:
  • Account lockout policies are being tripped.
  • Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.
  • Domain controllers respond slowly to client requests.
  • The network is congested.
  • Various security-related Web sites cannot be accessed.
It's that last bullet that's a lot more nasty than Microsoft's description suggests. You can't get to McAfee, AVG, AntiVir... anything security related, including Windows Update and the links to the MSRT. So you're best off keeping a copy of the MSRT on a USB drive or mini-CD.

Something not mentioned above is the fact that it can spread onto floppies and USB drives. When it does that, it adds a program to drive (My son's was named setup.exe) and it adds an Autorun.inf file that runs setup.exe (or whatever) when the drive is placed in another machine. This should go without saying, but ALWAYS make sure that AutoPlay is TURNED OFF on ALL removable drives on ALL of your machines. The convenience of having a program run automatically NEVER NEVER NEVER justifies risking the hundreds of dollars of damage that this ill-concieved feature can cause you. Turn it off. Otherwise you could accidentally infect the computer that you're getting the fix from!

You can disable AutoPlay on your drives manually, but it's easier to use TweakUI. Get that here: You can temporarily disable AutoPlay by holding down the SHIFT key while inserting a disk.

Then apply updates to Windows. On the network, Conficker spreads using an exploit that was patched four months ago. If he'd regularly updated it my son's computer would have been immune.

This is a nasty, nasty worm. Exercise a little bit of care and you won't contract it at all. But this is Windows... and running Windows means you have to be paranoid about security, because the OS does little to help you out. Relax your paranoia and you'll be in serious bad shape, as my son found out.


Post a Comment

<< Home