On a very serious note

Advertise with us
Shop deals on ebay
shop deals on amazon
Valve Replacement Forums

Help Support Valve Replacement Forums:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
Ross

Ross

Well-known member
Joined
Dec 15, 2001
Messages
25,981
Location
On The Hot Seat
People with April first about to come, I do hope you all, that are running Windows operating systems, have all of your Windows critical updates and Antivirus programs up to date.

Conflicker C, a very nasty virus, is supposed to sprout on April 1st and all indications are that this is very real. It's after your personal information and takes over your computer to infect others. Please take ths threat seriously.
 
Are we sure this is not just the "most excellent" April Fool's joke since the spaghetti trees?;):D;)
 
I have to get ahold of my jump drive to get my updates on the home computer. Thnks for passing this on, I heard about this a couple of days ago but forgot
 
Minimally Invasive Cardiac Surgery: A Practical Guide
-31%
$151.52 $220.00
Minimally Invasive Cardiac Surgery: A Practical Guide Basi6 International
Echocardiography: A Practical Guide for Reporting and Interpretation
-23%
$53.56 $69.99
Echocardiography: A Practical Guide for Reporting and Interpretation Amazon.com
Echocardiography: A Practical Guide for Reporting and Interpretation, Third Edition
-26%
$46.43 $62.95
Echocardiography: A Practical Guide for Reporting and Interpretation, Third Edition Apex_media🍏
Smart Watch Fitness Tracker with 24/7 Heart Rate, Blood Oxygen Blood Pressure Monitor Sleep Tracker 120 Sports Modes Activity Trackers Step Calorie Counter IP68 Waterproof for Andriod iPhone Women Men
$49.99
Smart Watch Fitness Tracker with 24/7 Heart Rate, Blood Oxygen Blood Pressure Monitor Sleep Tracker 120 Sports Modes Activity Trackers Step Calorie Counter IP68 Waterproof for Andriod iPhone Women Men Woot
Amazfit Bip 5 Smart Watch 46mm, GPS, Alexa Built-in, Bluetooth Calling, 10-Day Battery, Heart-Rate & VO2 Max, Sleep Health Monitoring, AI Fitness App,120+ Sports Modes, for Android & iPhone, Black
-22%
$69.97 $89.99
Amazfit Bip 5 Smart Watch 46mm, GPS, Alexa Built-in, Bluetooth Calling, 10-Day Battery, Heart-Rate & VO2 Max, Sleep Health Monitoring, AI Fitness App,120+ Sports Modes, for Android & iPhone, Black Amazon.com
Update in Interventional Cardiology
$50.40
Update in Interventional Cardiology Amazon.com Services LLC
Biosensing Meditation Headband - Real-Time Visual and Auditory Feedback - Brainwave Monitor for Neurofeedback Training | Measures Alpha, Beta, Gamma, Theta, Delta, and SMR Waves
$199.99
Biosensing Meditation Headband - Real-Time Visual and Auditory Feedback - Brainwave Monitor for Neurofeedback Training | Measures Alpha, Beta, Gamma, Theta, Delta, and SMR Waves iHNNK
Flowtime: Biosensing Meditation Headband - Brain Tracker for Neurofeedback Training at Home - Heart Rate, Breath, HRV, Stress, Flow, Alpha, Theta, Beta, Gamma Wave Breakdowns
$198.00
Flowtime: Biosensing Meditation Headband - Brain Tracker for Neurofeedback Training at Home - Heart Rate, Breath, HRV, Stress, Flow, Alpha, Theta, Beta, Gamma Wave Breakdowns Entertech
Livenpace AI HR Monitor, 24 Hours Chest Lead Device with Free AI Analysis & PC Report, Chargeable Recorder, HHM1
$299.99
Livenpace AI HR Monitor, 24 Hours Chest Lead Device with Free AI Analysis & PC Report, Chargeable Recorder, HHM1 Welluehealth
Zeacool Fitness Tracker with 24/7 Heart Rate, Blood Oxygen Blood Pressure Sleep Monitor, Activity Trackers 5 ATM Waterproof,Step Calorie Counter Pedometer Health Smart Watch for Women Men Bordeaux
$28.99
Zeacool Fitness Tracker with 24/7 Heart Rate, Blood Oxygen Blood Pressure Sleep Monitor, Activity Trackers 5 ATM Waterproof,Step Calorie Counter Pedometer Health Smart Watch for Women Men Bordeaux Zeacool
HerbaMe Heart Support and Blood Pressure Supplement, 120 Capsules, Promotes Cardiovascular Health, Healthy Cholesterol, Triglyceride, Homocysteine, CRP Levels | Natural Artery Cleanse and Protect
-20%
$27.99 ($0.23 / Count) $34.99 ($0.29 / Count)
HerbaMe Heart Support and Blood Pressure Supplement, 120 Capsules, Promotes Cardiovascular Health, Healthy Cholesterol, Triglyceride, Homocysteine, CRP Levels | Natural Artery Cleanse and Protect Global Pro Sales
NutraPro Healthy Heart - Heart Health Supplements. Artery Cleanse & Protect. Supports Healthy Cholesterol and Triglyceride. GMP Certified
$28.91 ($0.32 / Count)
NutraPro Healthy Heart - Heart Health Supplements. Artery Cleanse & Protect. Supports Healthy Cholesterol and Triglyceride. GMP Certified Gulliver Group
Transcatheter Aortic Valve Replacement: A How-to Guide for Cardiologists and Cardiac Surgeons
$88.99
Transcatheter Aortic Valve Replacement: A How-to Guide for Cardiologists and Cardiac Surgeons Ibook USA
MGZNMTY Portable Hard Travel Case for AliveCor Kardia Mobile Heart Monitor Personal EKG/KardiaMobile 6-Lead Rate Monitoring Devices (Case Only)(Gray)
-50%
$4.49 $8.99
MGZNMTY Portable Hard Travel Case for AliveCor Kardia Mobile Heart Monitor Personal EKG/KardiaMobile 6-Lead Rate Monitoring Devices (Case Only)(Gray) MingTian Store
Practical Interventional Cardiology: Third Edition
-52%
$114.49 $240.00
Practical Interventional Cardiology: Third Edition Basi6 International
Chatthen WiFi Elderly Monitoring, Caregiver Pagers Life Alert Systems for Seniors no Monthly Fee, 1 Receiver & 2 Panic Button, Compatible with Tuya Smart/Smart Life APP (Only Supports Wi-Fi 2.4GHz)
$38.99
Chatthen WiFi Elderly Monitoring, Caregiver Pagers Life Alert Systems for Seniors no Monthly Fee, 1 Receiver & 2 Panic Button, Compatible with Tuya Smart/Smart Life APP (Only Supports Wi-Fi 2.4GHz) Chatthen
Snap Supplements Heart Health Supplements and Blood Circulation Supplements, 90 Capsules
-12%
$29.96 ($0.33 / Count) $33.95 ($0.38 / Count)
Snap Supplements Heart Health Supplements and Blood Circulation Supplements, 90 Capsules SnapSupplements
IAMJOY Smart Health Wristband, Wearable Activity & Fitness Tracker for Multi-Sport Mode, All-Day Automatic Continuous Monitoring of Health Data, Improve Sleep, Stress & Wellness, with Free App, Black
-21%
$188.22 $238.99
IAMJOY Smart Health Wristband, Wearable Activity & Fitness Tracker for Multi-Sport Mode, All-Day Automatic Continuous Monitoring of Health Data, Improve Sleep, Stress & Wellness, with Free App, Black NEW-LIFESTYLE
FITCENT Rechargeable Heart Rate Monitor Chest Strap 5.3 kHz/Bluetooth 5.0/ANT+, Heart Rate Monitor for Peloton, Chest Heart Rate Monitor for Strava Zwift DDP Yoga
$45.99
FITCENT Rechargeable Heart Rate Monitor Chest Strap 5.3 kHz/Bluetooth 5.0/ANT+, Heart Rate Monitor for Peloton, Chest Heart Rate Monitor for Strava Zwift DDP Yoga Fitcent
Cardiovascular Catheterization and Intervention: A Textbook of Coronary, Peripheral, and Structural Heart Disease, Second Edition
$129.81
Cardiovascular Catheterization and Intervention: A Textbook of Coronary, Peripheral, and Structural Heart Disease, Second Edition Prime Deals, USA
Description
Win32/Conficker.C is a worm capable of blocking security related websites, terminating system security services and downloading component files using time-based generated URLs.

Method of Infection

When executed, Win32/Conficker.C drops a copy of itself using a random filename in the %System% directory. It may also drop copies of itself in the following directories:

%Program Files%\Windows NT
%Program Files%\Windows Media Player
%Program Files%\Internet Explorer
%Program Files%\Movie Maker

For these and other dropped files, Win32/Conficker.C:

* Sets Read Only, Hidden and System file attributes
* Generates a file creation/access time-stamp based on that of "kernel32.dll"
* Creates access control entries
* Exclusively locks the file, thus restricting access and privileges

Note: %System% and %Program Files% are variable locations. The malware determines the locations of these folders by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; for XP and Vista is C:\Windows\System32. A typical location for the Program Files folder would be C:\Program Files.

In order to automatically execute at each startup, it adds the registry entry below:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<random string> = "rundll32.exe <worm executable>, <random string>"

Conficker also registers a service with a random name created by combining a word from this list:

App
Audio
DM
ER
Event
help
Ias
Ir
Lanman
Net
Ntms
Ras
Remote
Sec
SR
Tapi
Trk
W32
win
Wmdm
Wmi
wsc
wuau
xml

with another word from this list:

access
agent
auto
logon
man
mgmt
mon
prov
serv
Server
Service
Srv
srv
svc
Svc
System
Time

The worm also derives a display name for the service by combining two words from the list below:

Audit
Backup
Boot
Browser
Center
Component
Config
Control
Discovery
Driver
Framework
Hardware
Helper
Image
Installer
Logon
Machine
Management
Manager
Microsoft
Monitor
Network
Notify
Policy
Power
Security
Shell
Storage
Support
System
Task
Time
Trusted
Universal
Update
Windows

For example, the worm may register a service with these registry entries:

HKLM\SYSTEM\CurrentControlSet\Services\IrSvc\DisplayName = "Component Task"
HKLM\SYSTEM\CurrentControlSet\Services\IrSvc\Type = 00000020
HKLM\SYSTEM\CurrentControlSet\Services\IrSvc\Start = 00000002
HKLM\SYSTEM\CurrentControlSet\Services\IrSvc\ErrorControl = 00000000
HKLM\SYSTEM\CurrentControlSet\Services\IrSvc\ImagePath = "%Root%\system32\svchost.exe -k netsvcs"
HKLM\SYSTEM\CurrentControlSet\Services\IrSvc\ObjectName = "LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Services\IrSvc\Description = "<randomly copied from an existing service with a Startup Type of 2 >"
HKLM\SYSTEM\CurrentControlSet\Services\IrSvc\Parameters\ServiceDll = "%System%\<worm executable >"


Note: %Root% is a variable location. The malware determines the location of the current root drive by querying the operating system. A typical location for the root drive would be C:\.

Additionally, Win32/Conficker.C checks for and tries to inject code into any processes executed with the commandline parameters "svchost.exe -k NetworkService".

Back to top
Payload
Modifies Registry / Lowers Security Settings

Win32/Conficker.C deletes the following registry entry to deactivate Windows Security Center notifications:

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}

It deletes the registry entry below to prevent the operating system from starting in Safe Mode:

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot

Additionally, Win32/Conficker.C deletes the below registry entry to prevent "Windows Defender" from executing on system start:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender

Deletes Restore Points

Conficker resets all system restore points and deletes any saved system restore points on the affected system.

Disables Services

Win32/Conficker.C looks for and disables the following services if running:

wscsvc - Security Center
WinDefend – Windows Defender (available in Vista)
wuauserv - Automatic Updates
BITS - Background Intelligent Transfer Service
ERSvc - Error Reporting Service
WerSvc - Windows Error Reporting Service (available in Vista)


Terminates Processes

Win32/Conficker.C terminates the following security-related processes in an attempt to prevent its removal from the system:

autoruns
avenger
confick
downad
filemon
gmer
hotfix
kb890
kb958
kido
klwk
mbsa.
mrt.
mrtstub
ms08-06
procexp
procmon
regmon
scct_
sysclean
tcpview
unlocker
wireshark

Blocks Websites

Win32/Conficker.C hooks the following APIs to monitor and restrict access to security websites:

Query_Main
DnsQuery_W
DnsQuery_UTF8
DnsQuery_A
sendto

In its attempt to prevent access to security-related sites for information, help or software updates, the worm attempts to block running applications from accessing URLs containing any of the following strings:

avg.
avp.
bit9.
ca.
cert.
gmer.
kav.
llnw.
llnwd.
msdn.
msft.
nai.
sans.
vet.
agnitum
ahnlab
anti-
antivir
arcabit
avast
avgate
avira
bothunter
castlecops
ccollomb
centralcommand
clamav
comodo
computerassociates
conficker
cpsecure
cyber-ta
db networkassociates
defender
drweb
dslreports
emsisoft
esafe
eset
etrust
ewido
f-prot
f-secure
fortinet
free-av
freeav
gdata
grisoft
hackerwatch
hacksoft
hauri
ikarus
jotti
k7computing
kaspersky
malware
mcafee
microsoft
mirage
msftncsi
msmvps
mtc.sri
nod32
norman
norton
onecare
panda
pctools
prevx
ptsecurity
quickheal
removal
rising
rootkit
safety.live
securecomputing
secureworks
sophos
spamhaus
spyware
sunbelt
symantec
technet
threat
threatexpert
trendmicro
trojan
virscan
virus
wilderssecurity
windowsupdate

Downloads and Executes Arbitrary Files

If the current system date is on or after 1 April 2009, the worm attempts to access pre-computed domain names to either download an updated copy of itself or download other malware. Below is a list of URL extensions used for pre-computed/generated URLs:

vn
vc
us
tw
to
tn
tl
tj
tc
su
sk
sh
sg
sc
ru
ro
ps
pl
pk
pe
no
nl
nf
my
mw
mu
ms
mn
me
md
ly
lv
lu
li
lc
la
kz
kn
is
ir
in
im
ie
hu
ht
hn
hk
gy
gs
gr
gd
fr
fm
es
ec
dm
dk
dj
cz
cx
com.ve
com.uy
com.ua
com.tw
com.tt
com.tr
com.sv
com.py
com.pt
com.pr
com.pe
com.pa
com.ni
com.ng
com.mx
com.mt
com.lc
com.ki
com.jm
com.hn
com.gt
com.gl
com.gh
com.fj
com.do
com.co
com.bs
com.br
com.bo
com.ar
com.ai
com.ag
co.za
co.vi
co.uk
co.ug
co.nz
co.kr
co.ke
co.il
co.id
co.cr
cn
cl
ch
cd
ca
bz
bo
be
at
as
am
ag
ae
ac


Additional Information

So that only one copy of itself runs at a time, Conficker creates a mutex in the format "Global\%u-%u", where "%u" is a decimal number.

The worm accesses the following websites to test Internet connectivity:

ask.com
baidu.com
facebook.com
google.com
imageshack.us
rapidshare.com
w3.org
yahoo.com
 
according to my kindle news this morning it's been around for awhile but gets updated constantly. MS is offering a $250,000 reward to find the originator(s) of this awful thing.
 
hensylee said:
according to my kindle news this morning it's been around for awhile but gets updated constantly. MS is offering a $250,000 reward to find the originator(s) of this awful thing.
Click to expand...

The anties gone up for the writer of this thing. There is now a whole posse after him.
 
some downloads for conflicker

some downloads for conflicker

certainly just trying to help, the wife works on puters too.

Lots of free safe tools to download and stash for disinfection. These cos. do not spam you.

Symantec
Code: 
http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm
three downloads midpage if you have Symantec/Norton




Panda
Code: 
http://www.pandasecurity.com/usa/homeusers/downloads/usbvaccine/


M$ Malicious Software Removal Tool
Code: 
http://www.microsoft.com/security/malwareremove/default.mspx

lots more out there, you don't have to buy and are safe.


BitDefender
single removal on PC or network versions
Code: 
http://www.bdtools.net/
 
when I turned on my computer this morning, I got a msg from McAfee that I needed some fixes and should reinstall my program - didn't like that so told mcAfee to 'fix'. It was already doing it so I don't know if there was somebody about to grab me with that message about reinstall or not, but I didn't reinstall and checked McAfee after the fix and all my stuff is safeguarded now. this thing can start before/after April 1st so just start being careful right now. Also it's servers and large companies these folks are mostly after and their aim is monetary. well, duh, course it is.
 
Here's a good one-- I went to Google to get more information on this virus, and the site marked CNN which was one of the first ones, attempted to install a Trojan on my computer. Norton caught it. Must have been a fake site.

So be very careful with this virus.
 
I got some info that said if you try to get info on the worm, you might infect your own computer so I am just waiting for info from elsewhere. may shut everything off on Apr 1 just iin case.
 
hensylee said:
when I turned on my computer this morning, I got a msg from McAfee that I needed some fixes and should reinstall my program - didn't like that so told mcAfee to 'fix'. It was already doing it so I don't know if there was somebody about to grab me with that message about reinstall or not, but I didn't reinstall and checked McAfee after the fix and all my stuff is safeguarded now. this thing can start before/after April 1st so just start being careful right now. Also it's servers and large companies these folks are mostly after and their aim is monetary. well, duh, course it is.
Click to expand...

If you get any update notices, go directly to your antiviruses site and don't download it from a pop up window.
 
Nancy said:
Here's a good one-- I went to Google to get more information on this virus, and the site marked CNN which was one of the first ones, attempted to install a Trojan on my computer. Norton caught it. Must have been a fake site.

So be very careful with this virus.
Click to expand...

Yeah I just got the same thing. Google again, look at the address for that site and add it to your restricted sites zone in internet options. Problem is, new addresses are coming up all the time for that darn thing.
 
hensylee said:
I got some info that said if you try to get info on the worm, you might infect your own computer so I am just waiting for info from elsewhere. may shut everything off on Apr 1 just iin case.
Click to expand...

The problem is, some people are already infected and don't even know it as of yet. It's going to be busniess as usual for me. I've taken all the precautions I possibly can. All critical windows updates done, antivirus is constantly updating itself and hope for the best.
 
You must log in or register to reply here.

Latest posts

Back
Top