Two Minute Conficker Titbit: What’s Conficker About?

In lieu of the recent Conficker ruckus, I thought maybe I should start writing about that first.

The Conficker worm is also known as Downadup and Kido. As you may or may not know, it is a funny little thing that targets only Microsoft operating systems and has several different versions, named Conficker.A, Conficker.B, Conficker.C, (yes) Conficker.D, and (surprise, surprise) Conficker.E. If you often use removable media to transfer data from machine to machine, be wary of version B.

It seems the greatest way version B propagates at the moment would be through sharing of files between machines. This could be due to sharing across a network or through removable media like a flash drive. Previously it took advantage of a security hole in Windows, now purportedly patched by security update 958644 (MS08-067). Download this update if you yet haven’t.

When you plug a flash drive into a USB port, the autoplay might come up and you might notice two options that say you can open a folder to view the files on the device. One is real, the other obviously created by a worm of some kind (no prizes for guessing that).

Your autoplay options might not separate the actions you can take into ‘Install or run program’ or ‘General options’ or whatnot. The image is merely an example. But if Conficker.B is there, you would get two ‘folder’ options. The one that opens using Windows Explorer is genuine. Do not click the option that opens a folder by an unspecified publisher.

The wording of the Conficker ‘folder’ option may not be exactly the same as that in the picture. I came across one that said something like ‘Open folder to view files by an unspecified publisher’. Either way, unspecified publishers are bad news. Stay away and I might buy you some milk and cookies.

Upon running avast! Antivirus the following file was removed from the infected flash drive;

AUTORUN.INF

Reports are sketchy from the battlefront, but this file could be the trigger program that unleashes Conficker.B into a system. Once again, do not choose the option to open a folder by an unspecified publisher. You might get a chocolate bar if you do.

While it is uncertain what Conficker’s ultimate purpose is, most specialists speculate that it will spearhead some kind of attack by turning infected machines into ‘zombies’, to be controlled by the creators of the worm or the worm itself. The other theory is that the worm is merely a gimmick and that the real threat comes from people installing ‘scareware’ into their machines.

Scareware are software that people install into their machines hoping to safeguard them from harm. Hence, they use scareware when they are anxious of some threat or another. The problem is that a lot of scareware masquerades as protection software, and people are unwittingly putting viruses and spyware into their computers while thinking that they are getting the latest free security applications.

Of the multitude of free security applications on the Web, only a handful can be trusted. Always check that a site you are visiting is run by a legitimate company, such as Symantec, AVG, or McAfee.

Conficker managed to evolve on April the 1^st, so there is doubt it could not do so again. If it can again update itself to better withstand removal, there is a chance it can update itself to finally turn into some malicious beast.

If you are running Windows of any kind, keep abreast with updates from Microsoft’s official website. Try not to use free removal tools from suspicious sites. These may actually be rogue software or spyware trying to disguise themselves as legitimate security software.

Until next time, take care and keep your fingers crossed.