Last year everyone waited for the worst to happen.

We were certain that a new piece of malware would be the biggest thing to hit the internet in a long time and that nothing would be the same afterwards.

I am, of course, talking about the infection known as the Conficker worm and how it was supposed to activate on April 1st of last year.

We’ve Nuked It! Haven’t We?

There are certain blogs that are saying that Conficker and the associated botnet are now dead and that no-one is coming back for them (typically, I’ve forgotten where I’ve read that so feel free to drop links to such posts if you can find them).

Whether this is 100% true is not known right now, but what is known is that it has not made a sound lately.

That said, the worm was able to infect the largest amount of computers we have ever seen and now it is just sitting around, waiting for action.

Opinion amongst security experts is divided on whether the Conficker botnet is actually dead or not, though many lessons can be learned either way, as eloquently described in SC Magazines article, “One year since Conficker failed to flicker into action, what have we learned?” (Thanks to Dan Raywood for that link)

Some people believe that it is still active though and just waiting for people to turn their heads enough to let it rise up again.

Conficker, The Attention Whore

Since the worm was able to infect so many computers it received a lot of attention from both the security community and the press.

So much so that it is still a hot topic over a year after it first grabbed the headlines.

Conficker became such big news that Microsoft offered a $250,000 reward for anyone who could offer information about who created the original infection.

So far the money has not been collected and the creators are still on the loose.

Dead Or Alive?

So, is Conficker just playing dead (thanks for the link davkal), or has it really gone for good?

The only way that a botnet can truly be considered destroyed is if it is wiped off of every computer that was infected.

If it is still sat on peoples’ computers, even if just lying dormant, then it lives on.

A dormant botnet can be woken, and not just by the original creators – it could also be taken over by someone who has reverse engineered the program in order to take control of it for themselves.

Even a rogue government, for example, could decide to cause trouble for the world’s internet community by taking over the botnet for a short amount of time.

Whatever the case, the botnet is just sitting there waiting for someone to turn it on.

Of course the likelihood of that diminishes by the day – the creators of the worm are likely too scared to actually use it now – if they do, they will have many government organizations from around the world coming after them!

It may well be that the creators of Conficker botnet could have decided that, even though they had a brilliant plan, that it is just too risky to follow through with it.

Right now they have two choices to make – they can retain their civil liberties by never turning it on, or they can become instant black hat hacking heroes by activitating it whilst running the risk of some serious jail time.

Do you believe Conficker still poses a threat?

Conficker, The Biggest Botnet On The Internet, Has Been Destroyed. Or Has It? is a post from: Security FAQs

One thing about the year 2009 is that it saw it’s share of online threats.

As a matter of fact, there were probably more threats seen in 2009 than in any year prior.

There are more and more hackers that are seeing the financial benefits that can be made by introducing new exploits to the average computer user.

Also, there are a lot more hacker kits that are available.

They allow a person who is not skilled in creating an exploit to have the ability to use one anyway.

All of these factors mixed together made 2009 and dangerous year on the Internet.

The Conficker Worm

None of the threats  that were out there caused more problems than the conficker worm.

This worm took traction in 2009 and wouldn’t stop.

The conficker worm could be easily one of the worse infections that has spread through the Internet for the entire decade, not just 2009.

First found in the wild at the end of 2008, this worm quickly spread to users of the Microsoft Windows operating system family.

After the worm was first discovered, it was hard to stop the infection on user’s computers because the worm itself kept transforming.

The creators of the worm would monitor recent developments that would hopefully help stop the spread of it and they adjusted accordingly.

This is part of the reason why the worm goes by so many different names.

Besides Conflicker, it also known as Downup and the Kido worm.

The worm was able to spread so much and so quick that Microsoft offered a huge bounty on the heads of whoever wrote the worm.

They were determined to eliminate the threat if not by technology, then through old fashion police work.

They were able to discover what region of the world the worm was originating from, but they were not able to find the person or persons responsible for it.

Antivirus Avoidance

For a long time, antivirus software was not able to get rid of every variant of the worm.

Now they all claim to be able to detect and dispose of the worm on a users system.

This seems to be true since the spread of the worm has rapidly decreased in the last couple of months.

The worm was so successful that there is no doubt that the creators of it are working on a 2.0 version.

Since they haven’t been caught, they get the chance to work on all of the mistakes they made.

This time, they can make it even more untraceable.

Out of all the malware that was released in the past year, the Conficker worm proved to be the biggest pest.

It was able to baffle network administrators and security professionals everywhere.

The Conficker Worm Proved To Be The Biggest Problem In 2009 is a post from: Security FAQs

The Conficker virus is now known by many names, including -

• W32/Conficker.worm
• Win32/Conficker.A
• W32.Downadup
• Downadup
• Kido
• Confiker

but it doesn’t really matter what you call it – it is a total and far-reaching menace that has spread far and wide across the internet.

Exploiting flaws found in Windows MS08-067 vulnerability, Conficker continues to infect machines worldwide and may now be installed on as many as 15 million computers across the globe.

If you are unfortunate enough to become infected with Conficker then you will probably quickly discover that you cannot access security websites and that services such as Windows Security Center, Windows Error Reporting and Windows Defender have been disabled.

Not only that but Conficker has the ability to spread itself to other vulnerable computers via many means, including networks and external drives.

So, if one computer in a network is infected, then all the others are likely to become infected too.

Microsoft has released a patch to fix the Windows vulnerability and here is how you can manually remove Conficker from your system -

Killing off the Conficker DLL files

This is a fairly simple task, as detailed below -

1. Right-click the Explorer.exe process and choose the option “Properties”.
2. Click on the “Threads” Tab, locate and highlight the Conficker DLL files listed below.
3. To kill Conficker DLL files, click the “Kill” button.
4. Kill the following Conficker DLL files:

%All Users Application Data%\[RANDOM FILE NAME].dll
%Program Files%\Movie Maker\[RANDOM FILE NAME].dll
%Program Files%\Internet Explorer\[RANDOM FILE NAME].dll
%Temp%\[RANDOM FILE NAME].dll
vhoinp.dll
%System%\[RANDOM FILE NAME].dll

Deleting Conficker Registry Keys and Values

1. Right-click on your Desktop > select “New” option > select “Text Document” (.txt file) option.
2. Rename the .txt file as a .reg file and call it “Delete_Registry_Conficker_Entities.reg”. This renamed .reg file is a command that creates a shortcut to your Windows registry and allows you to easily delete registry values.
3. Right-click and select the “Edit” option.
4. Copy and paste the Conficker keys listed below -

[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWSNT\CURRENTVERSION\WINDOWS\APPINIT_DLLS\vhoinp.dll]
[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\vhoinp.dll]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\vhoinp.dll]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\vhoinp.dll]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\URLSearchHooks\vhoinp.dll]
[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\vhoinp.dll]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\vhoinp.dll]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars\vhoinp.dll]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\vhoinp.dll]
[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\vhoinp.dll]
[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\vhoinp.dll]
[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX\vhoinp.dll]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\vhoinp.dll]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\vhoinp.dll]
[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\vhoinp.dll]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\vhoinp.dll]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\vhoinp.dll]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\vhoinp.dll]
[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\vhoinp.dll]
[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\vhoinp.dll]
[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX\vhoinp.dll]

5. In the menu bar, go to “File” > select “Save” > then click the “X” button to close the file.
6. Double-click on the .reg file.
7. When the message box appears saying “Are you sure you want to add the information in C:DOCUME~1%username%DesktopDELETE~1.REG to the registry?”, click the “Yes” button.
8. When the message box appears saying “Information in C:DOCUME~1%username%DesktopDELETE~1.REG has been successfully entered into the registry.”, click the “OK” button.
9. The Conficker registry keys have now been deleted from your registry.

Hopefully that should do the trick for you and you can continue surfing without being bothered by Conficker again – just remember to keep your operating system fully patched and updated!

Conficker – How To Kill DLL Files And Delete Registry Keys And Values is a post from: Security FAQs

The Conficker virus differs from other viruses online because it is one of the few malicious worms that have already learned how to protect themselves from deletion.

One of the first steps that all of the different variants of the virus take is to disable all antivirus software and updates that you may have on your operating system.

This ensures that the hole it entered through stays open so that it can continue to host and download files on your computer without any interference.

Additionally, once you have the Conficker virus, it pays close attention to your browsing habits, disabling your entry to any websites such as Microsoft or anti-virus websites that could help you rid your system of it.

So, if the virus itself prevents you from reaching any type of aid, how do you get rid of it once you have it?

Well, there is no set way to remove the Conficker virus from your computer since there are different variants that attack in different manners but there are a few basic tips that may help you remove it on your own before it destroys your operating system.

Many people have found a way around its limited browsing stipulations by having a friend email them an anti-virus download or the Conficker security patch.

While you may no longer be able to access a downloadable removal service for the virus from your computer, you are still able to access software in your email, so this may be an effective way to attack the virus.

You may also consider taking your computer to a computer repair technician if you are suspicious you have the Conficker virus because the longer you allow it to feed on your system the more irreparable the damage it is likely to cause.

If all else fails, reformatting is always effective, but be careful when transferring files to an external storage space because variant B of the Conficker virus will ride along on your storage card to make sure it can re-infect your computer when you reload your files.

How Do I Remove Conficker After It Disables My Antivirus? is a post from: Security FAQs

The Conficker Cabal was the nickname given to an ad hoc partnership, led by Microsoft, to fight the Conficker virus.

Back in February Microsoft announced a partnership with various technology industry leaders and academia which was to implement a coordinated, global response to the Conficker worm.

Together with security researchers, Internet Corporation for Assigned Names and Numbers (ICANN) and operators within the Domain Name System, Microsoft coordinated a response designed to disable domains targeted by Conficker.

Shortly afterwards Microsoft also announced a $250,000 reward in return for information that would result in the arrest and conviction of those responsible for illegally launching the Conficker virus.

The organisations partnering with Microsoft in this cabal, which has since been renamed due to the negative connotations of that name, include the following -

• ICANN
• NeuStar
• VeriSign
• CNNIC
• Afilias
• Public Internet Registry
• Global Domains International Inc.
• M1D Global
• AOL
• Symantec
• F-Secure
• ISC
• Arbor Networks

Eight months on and there are still no arrests in connection to the Conficker menace.

What Is The Conficker Cabal? is a post from: Security FAQs

You may have disregarded the warnings about the Conficker virus the day before April 1st as just another exaggerated epidemic like Y2K.

However, if you are lucky enough to have avoided infection up to now it may be time to take the warning a little more seriously because the Conficker virus is a very real crippling agent that can destroy your computer system if activated.

Thought to have been developed in Germany, since the root of the name ‘ficken’ is a German obscenity, and the domain it uses has been tracked to Ukraine, the Conficker virus is a very powerful computer worm that has infected millions of computers since it emerged in October 2008.

It is estimated that, since then, between 9 and 15 million computers have been infected by the Conficker virus, and the number is still growing exponentially as its variants gather strength and continue to grow.

There are four five known variants of the Conficker virus, all of which are designed to open the door for each other should one find its way onto your computer.

Although the variants have different destructive paths into your personal laptop, once they fix themselves into your operating system they open the door for strong strands so that your computer can be taken over.

Most people who have the Conficker virus are unaware of its presence until they notice that they can no longer update their computer software or until their operating system crashes.

This is because the Conficker virus works in the background downloading files and using your computer system as a host computer to continue spreading itself throughout the Internet world.

This is one reason why it has been a struggle to trace the origins of the Conficker virus, because once it finds a host computer it simply exhausts all its available resources, using it as a command center, and then moves on.

Thus, if you are not aware of its presence in your computer, you can continue to use most of your Internet functions until it has used all your resources and crashes the operating system leaving your computer worthless and inoperable.

Why You Shouldn’t Disregard The Conficker Virus Just Yet is a post from: Security FAQs

There is a bit of an argument going on within the ranks of the Digirati.

Everyone is trying to decide if the Conficker Worm is the most advanced virus ever created.

Arguments can be made for other previously released viruses that have wreaked havoc on computer networks and caused billions of dollars in damage.

Elegant Design

Even the most experienced programmers agree that Conficker has a very elegant design and that nobody seems to be able figure out exactly how it works.

Other experts state that they have never seen anything like it.

However, there are some contenders as far as the speed of the virus and the monetary damage it causes are concerned.

Vs. Nimda 2001

Released on 18 September, 2001, Nimda became the fastest spreading virus of the time and found its way into thousands of computers in 22 minutes.

Nimda used an email propagation scheme that had a file attachment “README.EXE” and was the worst virus up to that date.

Vs. SQL Slammer 2003

On 25 January, 2003, SQL Slammer reared its ugly head and began to slow down Internet traffic by causing denial of service attacks on host computers.

The virus quickly spread to over 75,000 computers within 10 minutes and completely shut down the Internet in South Korea.

Vs. Storm 2007

The Storm Worm was released on 19 January, 2007 and within 72 hours was held accountable for 8% of all malware infections worldwide.

Storm also used an email propagation scheme with an email that had the title: “230 dead as storm batters Europe.”

During those 72 hours there were 6 different attacks performed by the Storm Worm.

Technologically Advanced?

Is Conficker the most advanced virus ever?

Most experts would say yes. However, the monetary damage done by Conficker has been pale in comparison to other previous malware attacks.

Only time will tell whether Conficker is the most advanced virus or not…

Conficker: The Most Advanced Virus Ever? is a post from: Security FAQs

Currently there are four versions or levels of the Conficker Virus — A, B, C, and D – that are steadily infecting Windows’ Operation Systems worldwide.

Conficker affects Windows 2000, XP, Vista and Windows 7 Beta as well some Windows server platforms such as 2000, 2008 and 2008 R2 Beta.

Basically what the virus does is it disables the computer’s ability to defend itself from malware.

There are Conficker precautions that a Windows user can take in order to prevent any of the Conficker levels from infecting a computer.

Using Windows Live Update

Most private Windows PC owners can prevent the Conficker Virus from attacking their computer by simply making sure that the Automatic Update feature is turned on for their PC.

To do this simply press the “Start” button; open the “Control Panel”; go to “Windows Security Center” and make sure that “Automatic updating” is turned on.

This will ensure that the PC has received the necessary out-of-band patch.

Using Group Policy

Group Policy is a way in which networks can prevent the Conficker Virus from attacking PCs at the workplace.

Using Group Policy will negate Conficker’s activities by removing users from the “Administrator” list. Doing this means that it will be very unlikely for the virus to attack a PC on a network.

Third Party Protection

Third party software developers that specialize in anti-virus and malware protection have developed their own patches that scan for and remove the Conficker worm.

Some of these applications will run the scan automatically and others will have a scan-on-demand feature.

Conclusion

Many people believe that the current levels of the worm are just a prelude of things to come.

By having the Conficker virus already disabling malware protection on a PC, it could leave the PC open to other malware attacks.

It is best to make sure that precautions against Conficker have been taken so that there are no security issues later on.

The A,B,C And D Of Conficker Precautions is a post from: Security FAQs

If you are one of the millions who have recently found the Conficker virus on their computer, it is likely that your only concern now is how to get rid of it.

First off, you deserve kudos for diagnosing its presence on your system since many people overlook the dormant but deadly virus until it is too late and their operating systems have been destroyed.

However, the fact that you have been observant and caught it out does not mean that your worries are over; in fact, they have probably just begun.

For starters, if you have more than one computer in your home you should not transfer any removable devices between the computers until you have deleted the Conficker virus.

This is because the virus has a Variant B which will hide in removable devices and then attack during an auto-run function.

So your very initial action should be to control the reach of the Conficker virus within your own home.

Next, because the Conficker virus will disable your anti-virus programs and automatic updates, you need to out think the strand by downloading anti-virus software in your email.

The virus will prevent you from accessing any anti-virus websites that offer you the security patch to eliminate the threat or download the software to destroy it.

However, it will not prevent you from opening your email so if you send yourself a download to erase the Conficker virus from another source you should be able to access and start the download to clean your system.

If this does not work, you may want to take your computer to a computer expert who specializes in deleting viruses because you may need to have your computer reformatted, which can be a dangerous job for a computer novice.

Plus, if the job is not properly executed, you risk losing your data as well as re-infecting your system again with the Conficker virus once reformatting is complete.

How Do I Remove The Conficker Virus? is a post from: Security FAQs

The Conficker virus is one of the most infectious and one of the hardest viruses to detect that has hit the Internet.

There are a number of ways to counteract this newest threat and an even greater number of ways to transport this worm to other machines and networks.

Currently, it is estimated that some 9.5 million computers worldwide are infected.

It has the capability of deflecting traces as well as transporting itself via USB memory sticks allowing it to spread even faster and through networks that are normally secured from outside threats.

Once inside your machine it resets restore points, creates registry values, and even generates hundreds of domains to prevent the hacker file download domain from being known.

Mutations of this worm have already been found and once activated it can give the hacker full administrative rights to your computer.

There are a few things that you can do to help protect yourself from getting this worm.

The first thing is to update Windows.

Every so often, and especially when threats such as this come out, Microsoft offers security updates that are designed to protect your computer.

Many people do not realize the importance of these security updates and so do not install them.

This leaves your computer vulnerable to these types of threats.

The next step is to download a remover program from a trusted source and scan your system to ensure that you have not already been infected with the Conficker worm.

Even with the security updates protecting your computer, you should scan your computer often and make sure to keep your antivirus and remover tools updated.

These are the best methods to help prevent your computer from becoming infected and removing any infections which may already be present.

It is also a good idea to scan USB flash drives and other media before installing any files onto your computer.

Conficker Countermeasures is a post from: Security FAQs