If the vulnerability is successfully exploited, the worm instructs the target PC to download a copy of the worm from the host PC via HTTP protocol using the random port between and opened by the worm.
Changes system settings. B changes system settings so that the user cannot view hidden files. It does this by changeing the following registry entry:. This worm stops several important services, like the following:. B deletes the registry key for Windows Defender , disabling it from running when the system starts. It also disables any process that has a module name containing any of the following strings from sending network traffic or data most of these strings are related to antivirus and security software, thus effectively disabling the products from getting signature updates, and possibly preventing users from accessing websites with these strings in the URL :.
Resets system restore point. B might reset the PC's system restore point, potentially preventing recovery using System Restore. Checks for Internet connectivity. B checks if the system has an Internet connection by trying to connect to the following websites:. Downloads files. B can build a URL to download files starting on January 1, The generated URL has a domain name that is based on the current system date. It uses one of the following top level domains:.
For example, aaovt. The generated domain name is first converted to the dot notation, for example, aaovt. Some examples of the constructed URLs are as follows:. It checks the system date if it is January 1, or later.
It also checks the following websites for the date, presumably for verification:. The name of this threat was derived by selecting fragments of the domain ' traf ficcon vert er. Analysis by Jireh Sanico. Take these steps to help prevent infection on your PC. The following could indicate that you have this threat on your PC :. Conficker Removal. Get Started. Download Now. Price Free. Compatibility For bit and bit versions of Windows. Help Visit our support forum.
Sophos Endpoint. English Languages. One of the most common infection vectors for Conflicker and its ilk is the Windows AutoRun feature. Eset claims that one out of every 15 threats they detected in used autorun. Unfortunately, disabling it is not as simple as you may think, because even when disabled through conventional means it still parses most of the autorun. To disable it completely, users will need to copy the text below into Notepad. It should be one line from the left bracket to the final quotation mark.
Save it as something memorable, such as StopAutoRun. Double-click on the saved file, and you close the AutoRun loophole. You also won't be able to automatically play DVDs just by putting them in the disc drive, but that seems a reasonable price to pay for slamming the door on this gaping security flaw.
Once you've gotten your computer clean and killed off the AutoRun feature, there's still more to do. These changes, however, are behavioral. Stay on top of Windows security updates from Microsoft, do not under any circumstances click on any Web-based ''free virus scan'' offers, and make sure you're not only running a reputable security suite, but that it's configured for daily virus definition file updates.
Be respectful, keep it civil and stay on topic.
0コメント