Conjugal Relations with the Conficker.C Worm

[Sharkey]

For the last several months, maybe longer, I've had the feeling that things weren't quite right with my computer. I kept getting "svchost.exe has caused errors and will be closed" messages. I was not able to unhide hidden files in Windows Explorer. My Dial-Up Networking passwords would disappear and have to be reentered. Dial-Up Networking sessions could not be terminated, the command to disconnect would be ignored. It was taking five minutes or more for my LAN connection to become active. Most telling was that I was no longer able to use my web browser to view anything at the Microsoft.com web site, I would get redirected to a page of phony search results that looked like Yahoo but wasn't.

Investigations into this suggested that I had been infected by a trojan or worm. During the recent cold weather, I decided to do something about the problem. I started by loading an older version of a well-known antivirus program. After installing, it was time to update the virus definitions, but the program's live update failed. More searching around on the web suggested that the software maker's site was also being blocked. Sure enough, I was unable to visit their site in a web browser.

Time to get industrial. I booted to Safe Mode, which allowed me to view the software maker's site on the web. After two failed live update attempts (127 Mb and two hours of waiting), I decided to manually update the antivirus software. The manufacturer's site provided the information that the version that I had installed was no longer supported and that new virus definitions were not available for it.

Screw it, I decided to do a parallel installation of Windows 2000 on my computer, installing to a different directory and having a dual-boot system, old and buggy and new and shiny. This process took the better part of two days to install the OS, configure it, update it, install all my normal programs, install a printer, install a modem, set up Dial-Up Networking profiles, etc. It was a LOT of work, partly because I run a very customized Windows installation, and I insist that it be set up "just so".

I had one bad scare, I thought that I had lost all of my Opera browser bookmarks, and my backup copy (most recent being last Wednesday) didn't seem to bring them back. Turned out to be some .ini file confusion that was easily edited and fixed.

The system was up and running, exhibited none of the previous problems, and was nice and fast.

I had one program left to install, Roxio Drag-to-Disc for my CD-R drive. I remembered that I had a copy of the install files on my 160 Gb external USB drive, so I plugged it in. The system froze for a while, then my software firewall started going nuts, throwing up flags that something on the system was attempting to connect to the internet on a variety of unusual ports.

A rouge binary file masquerading as an autorun.inf file on the external hard disc had completely reinfected my system! Two days of effort wasted!!!

Now I was really mad! I Googled "autorun.inf virus" and eventually came to a blog entry that described the problem and suggested using the Microsoft Malicious Software Removal Tool to get rid of the worm. I figured that no one knows more about malicious software than Microsoft, so I rebooted to Safe Mode, got the tool and ran it on my new installation. A quick scan found the Conficker.C worm and removed it. I ran it again, specifying the system32 folder on my original Win2K installation, and it found it there and removed it also.

The Microsoft tool appears to have isolated and removed the corrupt files from my Win2K operating systems. Both the boot systems on my computer are clean, and I can once again visit sites that were failing to connect properly. Now I'm going to each of my four computers and scanning them, as the Conficker worm propagates through network connections.

This $@#&*! thing was ~everywhere~, on my external USB drive, on two USB thumb drives, on the Memory Stick out of my camera, two Zip discs, ~~and~~ it appears to have embedded itself in CD-R's that I burned as far back as July.

This last news is particularly troubling, as if the virus can migrate to removable media of all types, then I probably introduced it to the computer at one of my transmitter sites through the CD-R's that I burned of the equipment software update downloads. I don't think this poses any danger to the transmittng equipment, as they run Linux OS, but this may be part of the reason I was getting a BSoD out of the HD Importer computer last time I was there.

I will burn the Microsoft tool to a CD-R and use it to debug the Importer. I will be keeping a close eye on my computers and watching for "autorun.inf" files on removable media from now on. In the meantime, I have used TweakUI to shut off the autorun feature for removable media, this should help prevent a reinfection at home. That and the new hardware firewall should keep them from coming in from the satellite internet connection.

Now I have to go inspect the computers at the radio station studios, I have been on the network there both hardwired and wifi, it's very possible that they have been infected as well. Worldwide, over 15 million computers are estimated to be infected with Conficker.

Fuckin' script kiddies. Microsoft has a $250,000 reward for their arrest and conviction. I would hope to be able to personally give them a good solid kick in the head before the authorities drag them off to a dungeon to die cold and alone.

[GoodClue]

Thanks Sharkey, went to the site, downloaded the program, saved the links ... we still have Gitmo, don't we ... ?

[Sharkey]

Doug, keep in mind that the MSRT is updated every second Tuesday of each month. If you attempt to run the downloaded file more than 30 days from it's creation date, it will fail and you'll have to download the current version. Either that or reset your computer's clock to a date that the program will accept...

[stuartcnz]

I think it's time for a big thank you to all Windows users. Having such a big population makes for a big target for hackers and virus writers, which mostly leaves those of us MacOS and Linux users off their radar.

So again, Thank you all users of Microsofts operating systems.

[Sharkey]

Ha ha, funny guy, consider this: While researching how to get rid of this bug, I saw a few articles about "skin" viruses for the Mac OS, so you aren't totally immune. The difference I see is that when your Mac dies, you pretty much have to take it into the shop to make it work again, while hacking a Win box back to life is minor league stuff.

Eventually, M$ will force me to either Mac or Linux. I steadfastly refuse to move forward in the Win OS queue past Win 2000 Professional. Win2K hasn't been supported for a couple of years now, and that gripes me. My laptop has XP Pro, and I absolutely despise it. I hate how it looks, I hate how it feels, I hate all the pop-up notification balloons, and I want to drive a stake through the heart of the cute puppy that pops up to assist with every search for files or computers. That you can't reload XP on your own computer without M$'s permission in the way of a registration is a deal killer in itself.

There are a couple of applications that I would be using if they weren't locked out from OS below XP, Adobe Audition 2.0 for example. My biggest problem with migrating to non-Win OS is the lack of software available. Once someone puts together a WINE interface for Linux that actually works and can run any C+ application, I may be over Win for good.

[stuartcnz]

Ha ha, funny guy, consider this: While researching how to get rid of this bug, I saw a few articles about "skin" viruses for the Mac OS, so you aren't totally immune. The difference I see is that when your Mac dies, you pretty much have to take it into the shop to make it work again, while hacking a Win box back to life is minor league stuff.

While I do not dispute this. I have never bought any anti virus software, or had any viruses in the last ten years of using MacOS. Having now put that into print, my luck is probably about to run out though.

I think that Mac's are starting to get to the market saturation point, that hackers could start turning their attention to them soon. Especially with the advent of iPods and iPhones, etc..

THe only software that I cannot run on either Mac or Linux, is CAD. There are some versions for Mac, but not Rhino, which is what I am starting to learn, so I have had to start using XP, but because I have installed it as a partition on my Mac, I don't really have to use it for anything else. Everything else, I have been able to get on Mac and usually more stable that my friends can on windows systems.

For me, the operating system that I see the best future for is Ubuntu Linux. Unfortunately it still doesn't have much in the way of CAD support and I haven't found anything to replace Photoshop with, but already it has everything else that I would want, including Quanta for building websites (I just need a spare computer big enough to install the full version of Ubuntu, instead of the netbook version I have now on an Asus eeepc).It even supports a native version of Opera. Ubuntu is advancing at an incredible speed, with a new version released every six months (April and October), a huge support base and pretty much all software is free, even official versions of some software that are commercial licence for Mac and Windows. And yet is still has such a miniature user base that I think it will be some time yet, before the virus writers become interested in it.

WINE is also available for the lastest distro of Ubuntu 9.10

[Sharkey]

More virus fun tonight. I managed to get my laptop reinfected over the summer by allowing it to connect to the neighbor's WiFi, but I noticed it right away and used the MSRT to kill off Conficker once again.

For the last several days, I've been doing my 2010 income taxes on the laptop (because the tax software won't run on W2K), and I've had the feeling things weren't exactly right, but I put that down to the huge tax preparation application that I had installed.

Tonight, I used a USB drive to transfer the completed tax documents to my desktop computer, and noticed the "autorun.inf" file and a hidden directory named "trashbin" on the drive. This is the telltale signature of a virus infection. Since the last round of infections, I've disabled removable media from starting any actions when inserted into my computers, so my desktop wasn't infected.

Downloaded the MSRT application from M$ and ran it on the desktop and USB drive. No problems on the desktop, but it found Win32\Slenfbot.gen!D on the drive.

Transfered the MSRT program to the laptop and attempted to run it. The application terminated before I could even click anything. Screw it, I'll boot to "Safe Mode" and kill the bugs that way.

No go. Safe mode aborted without completely booting.

Now I was pissed. Researched some more using the desktop and found that this particular virus had been written to terminate a wide variety of antivirus applications, including the MSRT. It also is reported to be in a severe threat category.

I've been hearing quite a lot of good things about "Super Anti Spyware" ( http://www.superantispyware.com ), and in spite of the dumb name, all the reviews were positive. The developer is also a local guy who's made good with his free virus killer, so I decided to give it a try.

The virus didn't see the SASW (superantispyware) coming, and in about 20 minutes of scanning, the program had corralled 60 instances of virii, adware cookies, malware traces, registry anomolies, etc. One click and they were all quarantined.

After a clean reboot, I tried again to boot to Safe Mode. Still not working. Clicked around in the SASW program and found a "Repairs" tab. One of the offered repairs was "Repair broken SafeBoot key", a registry edit. Highlighted it, clicked "Perform Repair" and rebooted. Now Safe Mode works again.

I have to say, I'm pretty impressed. There is a paid version with enhanced features for $20 which will run real time to protect from future exploits, I'm tempted to purchase it for the laptop, it seems to get hit the hardest with this stuff.

Still not sure where I picked this nasty up from, could have been the radio station's network, or maybe all the time downloading updates for the tax software allowed some junk to slip in. I do keep the laptop behind a NAT firewall here at home, so I can't imagine that it came through the satellite ISP connection (this time).

Anyhow, SASW gets a from me!!!

[Dualfuel]

Normally, I like to write about things I know. Even things, I think I know. I don't know computer specific things like what this thread is about. Still, this is a social forum, and I feel compelled to comment.
I am dismayed with the viruses plaguing computers. I am helpless when the computers I use are taken over by a virus.
I try to remain remote and not emotionally attached to them. In case, I lose their use. I am like that with the phone, and the VCR too.
I don't listen to the radio here because of the relentless repitition of old old music. So when all those stars line up, there are times when I live in a vacuum.
Nothing but the sun and wind. Burn firewood, heat water, make the corn muffins, and repeat. Its because of these vulnerabilities, that I try to not depend on the inverter too much.
I am not a Luddite. I simply am not going to give up on life because I can't load Farmville. This is why I stay in my lane.
I make fuel, I make fuel, and I make fuel. Neigh, I am a one trick pony, but, by having fuel, people bring me all these other things, like generators, or computer networks. I depend on them for keeping that stuff working, and I concentrate on the generators, and fuel.
Mr. Sharkey's story is fascinating and frustrating. I would not trade my problems (which is currently, finding the time to hook up the centrifuge) for his problems.
I was glad to read about though. It is interesting to know that everybody has difficulties.

[ezrablu]

@Sharkey...very good link. I tried it...very good stuff, thanks.

http://www.superantispyware.com/