HOME

Sunday, April 5, 2009

VIRUS: Win32:Confi (Confiker, Downup, Downadup and Kido)

Win32:Confi is a mass spreading worm

Summary

Type : Worm
Aliases : W32/Downadup, Net-Worm, Win32.Kodo, W32/Confoker
Platform : Windows
Known locations : %WINDIR%\system32, recycle bin

Description

Win32:Confi exploits a security hole in Windows (http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx ) to propagate itself over networks. After infecting a machine, Confi creates a service with a randomly generated name and tries to infect other computers in the same subnet. It also drops itself into any removable media (USB sticks) plugged into the infected machine. When the attempt to exploit neighbouring computers fails, the worm runs a brute-force attack against weak passwords. Filesystem operations above the Win32:Confi files are not accessible for common users (not even for administrators), because the worm removes the rights and ownership from its files.

Detection/Removal

Manually download the corresponding patch from MS (Confi blocks access to some anti-malware sites). Update avast! VPS to the latest version. Unplug the LAN cable. Schedule the boot time scan and move all Win32:Confi files to the virus chest. After rebooting, install the MS patch. Reconnect the LAN cable and everything should be fine.

Avast Home Edition

a-squared Anti-Malware - Effective Malware Protection
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)