Technical Cyber Security Alert TA09-088A.

National Cyber Alert System
Technical Cyber Security Alert TA09-088A

Conficker Worm Targets Microsoft Windows Systems

Original release date: March 29, 2009
Last revised: —
Source: US-CERT

Systems Affected

* Microsoft Windows

Overview

US-CERT is aware of public reports indicating a widespread
infection of the Conficker worm, which can infect a Microsoft
Windows system from a thumb drive, a network share, or directly
across a network if the host is not patched with MS08-067.

I. Description

The presence of a Conficker infection may be detected if a user is
unable to surf to the following websites:

*
http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_
ghp_link_conficker_worm
* http://www.mcafee.com

If a user is unable to reach either of these websites, a Conficker
infection may be indicated (the most current variant of Conficker
interferes with queries for these sites, preventing a user from
visiting them). If a Conficker infection is suspected, the
infected system should be removed from the network. Major
anti-virus vendors and Microsoft have released several free tools
that can verify the presence of a Conficker infection and remove
the worm. Instructions for manually removing a Conficker infection
from a system have been published by Microsoft in
http://support.microsoft.com/kb/962007.

II. Impact

A remote, unauthenticated attacker could execute arbitrary code on
a vulnerable system.

III. Solution

US-CERT encourages users to prevent a Conficker infection by
ensuring all systems have the MS08-067 patch (part of Security
Update KB958644, which was published by Miscrosoft in October
2008), disabling AutoRun functionality (see
http://www.us-cert.gov/cas/techalerts/TA09-020A.html), and
maintaining up-to-date anti-virus software.

IV. References

* Virus alert about the Win32/Conficker.B worm –
< _moz-userdefined="" kb="" support>

* Microsoft Security Bulletin MS08-067 – Critical –
< _moz-userdefined="" bulletin="" ms08-067 security="" technet="" www>

* Microsoft Windows Does Not Disable AutoRun Properly –
< _moz-userdefined="" cas="" ta09-020a techalerts="" www>

* MS08-067: Vulnerability in Server service could allow remote code
execution –
< _moz-userdefined="" kb="" support>

* The Conficker Worm –
< _moz-userdefined="" norton="" theme www>

* W32/Conficker.worm –
< _moz-userdefined="" campaign root="" us>

____________________________________________________________________

The most recent version of this document can be found at:

< _moz-userdefined="" cas="" ta09-088a techalerts="" www>
____________________________________________________________________

Posted in News.