Worm outbreak

[GomJabbar]

The Conficker virus has opened a new can of worms for security experts.

Drives such as USB sticks infected with the virus trick users into installing the worm, according to researchers.

The "Autoplay" function in Vista and early versions of Windows 7 automatically searches for programs on removable drives.

However, the virus hijacks this process, masquerading as a folder to be opened. When clicked, the worm installs itself.

As the virus - also known as Downadup - has spread to an estimated 9m computers globally, a number of high-profile instances of the virus have arisen.

Users are urged to download the KB958644 Security Update from Microsoft to mitigate the risk of infection.

I found the above Microsoft update was installed on my system 11/14/2008.

http://news.bbc.co.uk/1/hi/technology/7842013.stm

[GomJabbar]

Here is some more information from another BBC News article.

"But as the virus can be spread with USB memory sticks, even having the Windows patch won't keep you safe. You need anti-virus software for that."

Method

According to Microsoft, the worm works by searching for a Windows executable file called "services.exe" and then becomes part of that code.

It then copies itself into the Windows system folder as a random file of a type known as a "dll". It gives itself a 5-8 character name, such as piftoc.dll, and then modifies the Registry, which lists key Windows settings, to run the infected dll file as a service.

Once the worm is up and running, it creates an HTTP server, resets a machine's System Restore point (making it far harder to recover the infected system) and then downloads files from the hacker's web site.

Most malware uses one of a handful of sites to download files from, making them fairly easy to locate, target, and shut down.

But Conficker does things differently.

Anti-virus firm F-Secure says that the worm uses a complicated algorithm to generate hundreds of different domain names every day, such as mphtfrxs.net, imctaef.cc, and hcweu.org. Only one of these will actually be the site used to download the hackers' files. On the face of it, tracing this one site is almost impossible.

http://news.bbc.co.uk/2/hi/technology/7832652.stm

[jdhurst]

There must be a different number (update number) for Vista 64-bit. I see KB958644 on an XP box here, but no such number on my Vista box. The Vista box is totally up-to-date, so I expect just a different update.
... JDH

[killer]

I think most of us (with Windows) install the updates as soon as they are released by MS. The problem seems to be with people or companies who don't do the updates.

[GomJabbar]

There must be a different number (update number) for Vista 64-bit. I see KB958644 on an XP box here, but no such number on my Vista box. The Vista box is totally up-to-date, so I expect just a different update.
... JDH

The following would seem to indicate otherwise.

Security Update for Windows Vista for x64-based Systems (KB958644)

http://www.microsoft.com/technet/securi ... 8-067.mspx

[jdhurst]

I went to the link - Thank you. As with a number of these standalone updates, the message I get is that it does not apply to my system. There is an update for my T61 from Lenovo for integrated graphics to fix the problems with Access Connections and Power Manager, but the update doesn't apply.

I have no problems with Windows Update (either Automatic or Manual) and my system is otherwise up-to-date, so I don't really understand this yet.
... JDH

[killer]

It looks like someone at Auntie Beeb has managed to point to the wrong MS link. Provided your system has the latest MS updates and your anti-virus software is up-to-date it won't be a problem.

[GomJabbar]

It looks like someone at Auntie Beeb has managed to point to the wrong MS link.

Huh?

I verified at sophos.com that KB958644 is the correct security update as reported by the BBC. On sophos.com they say: "Ensure Windows is fully updated to fix the MS08-067 vulnerability".
If you check that security bulletin from Microsoft, you see "Microsoft Security Bulletin MS08-067 – Critical Vulnerability in Server Service Could Allow Remote Code Execution (958644)"

http://www.sophos.com/security/analyses ... ckera.html

[killer]

@GomJabbar. Maybe I'm a bit dim but the BBC link talks about problems in Vista and then gives the link which refers to XP. Anyway, time for the pub soon.

[Marin85]

@GomJabbar. Maybe I'm a bit dim but the BBC link talks about problems in Vista and then gives the link which refers to XP. Anyway, time for the pub soon.

Maybe they have written it after having been in the pub...

[jdhurst]

Who knows, but it came to my XP machine without fuss via Windows Updates. No sign of it on Vista updates, and the download (Microsoft web page) did not work. None of the 64-bit updates Lenovo puts out via System Update work on my machine either. I don't know why, and a relatively constant lookout on my part does not shed any light either. ... JDH

[Temetka]

The only Microsoft OS I have on my machines right now is Windows 7 with all of it's updates and Norton Beta.

So am I hosed or closed?

[TTY]

No sign of it on Vista updates, and the download (Microsoft web page) did not work. None of the 64-bit updates Lenovo puts out via System Update work on my machine either. I don't know why...

One remote possibility might be that changes in registry settings also have changed the file system's functionality to such an extent that Microsoft or Windows Update and Lenovo System Update don't work reliably.

[jdhurst]

One remote possibility might be that changes in registry settings also have changed the file system's functionality to such an extent that Microsoft or Windows Update and Lenovo System Update don't work reliably.

I don't think so. Windows Update works properly and all the updates it has presented have succeeded - none outstanding. Likewise System Update will update all Lenovo software without issue. Only the Microsoft 64-bit hotfixes will not install ("not for this system"). I think it is tied to .NET Framework. I have searched the Microsoft Knowledge Base, but cannot resolve the issue. It is tied up, I think, in the fact that .NET Framework 1.1 lives in Add/Remove Programs whereas .NET Framework 3.0 lives in Windows Features and is not separately installable.
.... JDH

[schnitzelcore]

http://www.microsoft.com/downloads/deta ... laylang=en

Great tool for removing any doubt about a system being up-to-date. Also provides direct links to missing updates, useful for not-100%-kosher installs.

[jdhurst]

Thank you for the link. I had done this in XP, but my software was old, so I downloaded and ran the newest version. What it told me was that:

1. No security updates are missing for Office, SDK, SQL Server or Windows.
2. That automatic updates and Windows Firewall are turned off - Yes I know that.
3. NTFS is in place.
4. Passwords are strong.
5. Autologon not configured.
6. Guest account disabled.
7. Anonymous access properly disabled.
8. No more than 2 administrators found.

In short, nothing taylored for my particular system is missing, and generally my system meets ordinary security expectations.
.... JDH