Probably many of you have heard of the Conficker worm that has infected probably millions of computers in the whole world. As long as the computer is running an unpatched Windows XP or Vista, or without an Internet Security or Antivirus that can detect Conficker, chances are the worm could have found their way in. Conficker worm is quite an old news but only until recently I have encountered with this Conficker worm. I rented a dedicated server in Malaysia located in TM datacenter and the webhost installed Windows Server 2008 R2. I don’t really need a server operating system so I requested them to change it to the good old Windows XP.
Once they have finished installing XP, they gave me the user account information so that I can login using Remote Desktop Connection. The first thing that I always do when I get my hands on a newly installed Windows operating system is to go to Windows Update to download the hotfixes and service pack. I opened Internet Explorer and the default Microsoft page couldn’t load. Then I tried accessing the Windows Update and the page wasn’t accessible too! There was no problems in loading Google.com. The first thing that came to my mind was a bad HOSTS file. I checked the HOSTS file and it was clean. Next thing in line that could be the problem is the DNS server which translates domain name to IP address. Changed to Google DNS servers but still no go.
Finally I figured that it could be a virus or worm so I searched in Symantec’s website and the symptoms points to a Conficker worm. The Conficker worm is so shockingly smart that it was able to instantly infect a non patched Windows XP automatically by hacking in without any user interaction.
Fortunately the fix was pretty easy. All I need to do was stop dnscache service so that I can access the security websites again and download the Conficker Removal Tool. Once Conficker has been removed with the tool, I can visit Windows Update to update Windows and prevent any known worm from infecting the computer.
1. To stop dnscache service
1. Press WIN+R
2. Type cmd and hit enter
3. Type net stop dnscache and hit enter
2. Download Conficker Removal Tool
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/D.exe
3. Update Windows
The conficker worm was discovered about 4 months ago and it is still circulating in TM datacenter. I guess the server administrators are to be blamed for the continuous spreading of the Conficker worm because they did not bother to perform regular maintenance. Did you had any experience with the Conficker worm? If yes please do share your experience with us.
Related posts:
i do think the job for dedicated server is the owner who lease the server.
The virus may come from other dedicated server in that TM Datacentre within their LAN.
If TM blocks the server then the customer will blame and not pay for the day it was being blocked.
Just from the view of an IT Admin who only control traffic not the servers.
I saw at at my University Campus, damn virus thought it was extinct, seems like a new variant.
i’m using kido killer from kaspersky to remove confiker. download at here :
support.kaspersky.com/downloads/utils/kk.zip
thanks for the information…
USB worm the most dangerous malware: McAfee
siliconindia.com/shownews/USB_worm_the_most_dangerous_malware_McAfee_-nid-68025.html
I can’t stop the dnscache service! How come?
“System error 5 has occurred. Access is denied.”
I’m using Windows 7 Pro OEM.
Windows XP as server? I’m sure you have good reason for it…
oh hell…a lot of people still don’t care about updating their windows n also antivirus software…
last time,when conficker hit my office,i’m so frustrated in troubleshooting n cleaning those PC…using combofix n various conficker removal tool..
lastly, i backup the user data n restore the PC from the ghost image,update to the latest patches and so on..
damn~~ =)
Thanks Raymond, another good post
for me,I did not have any experiences with this worm but thanks for the tool – downloaded it -
Yeah,I ‘ve encountered Conficker worm many times already,fortunately I know how to secure my working environment,so it didn’t infect my system,but every place I go and there is a computer(mostly at school) I find this nasty worm,and take care to clean my USB stick drive every time it is in contact with one of the infected computer,better saying infected computers(it’s actually a bot-net!)
A friend give me his usb stick to copy him something! Just as I plugged in the stick MSE informed me that it contains Conficker! :)
Some people never update their Windows! I’ve seen PC’s with expired AV also :) There are so many people that dont know how to use a PC! I’m not surprised that this kind of virus has so much succes.
On Conficker:
So here is a truly scary and informative story from a reputable magazine that we subscribe to to at home. As a CIO for major Fortune 100 corporation, my company takes extreme precautions to prevent malware, worms, and virus. This article, for me, was a real wake up call:
theatlantic.com/magazine/archive/2010/06/the-enemy-within/8098/
I thanks for sharing this knowledge with us. I used the Norton 2010 trial version and it cured a very stubborn worm.
Fortunately I wasn’t infected by the Conflicker worm.Conficker maybe old news but it still pretty effective in infective unpatched systems.
Actually I am waiting for the next big thing that far beyond the capabilities of Conficker,We need better layered security to protect ourself here. :)
GottaBigOne,
If you can’t access the internet from a standard browser, then you should try to first Ping (Win+R => cmd => ping [website_url] ) a trusted site (such as Google) and see how far the damage is. If you can’t ping it, then stopping the DNScache might help. Your problem maybe Spyware, Malware, or Trojan/Worm related. Restarting the computer and performing a full system scan would be the easiest thing to do. I’ve had (at time) had my router be the cause of the problem. It would allow TCP connections but was blocking HTTP connections.
I have facing this worm also, but i just scan with malwarebyte and kaspersky then everything change to normal again.
Wow i had that same problem recently. I couldn’t visit Microsoft Update but my internet worked fine…, i also thought that Hosts file was broken but still no luck. Then i ran SUPERAntiSpyware Free Edition and remove some Trojans that were in registry and fixed task manager with it. I was surprised to see that KIS 2010 couldn’t find it.
Nevertheless, thanks for the advice. =)
That’s right, @abdullah. Dr.Web CureIt is the best Worm Remover ever. If anyone have the same problem regarding to the Conficker Worm, Dr. WebIt is the best tool for you to use it. Try it for sure.
I fixed a virus infection on a friends PC recently and even when it was clean I couldn’t bring up task manager or regedit, I managed to fix this functionality by running the following two lines (note this should be like this: reg add HKCU\….)
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
Probably won’t fix this in all cases but it’s worth a go!
I think Dr.Web CureIt , can clean this worm perfectly
Can this tip be used to open up to the Internet if a bug makes access impossible?
This way I can go in and troubleshoot whatever the problem is in a down computer or one that does not or cannot reboot?
Thank You,
GBO
thanks for the write up mate.
Thanks, I got same problem, no access to Windows Update, Avast is bad, unable to detect it…….. So thanks for high quality article like this……
Hi,
I had some problems with this virus on the office where a lot of virtual machines were infected and all needed services were dead. Fortunately , our system administrators fixed quickly the problem but some of the machines were very demaged.
All computers were infected because we used the standard user name and password.
nice post..
thnks raymond
wow i never knew about this.i checked wikipedia and came to kno that what a mess it had created at that time!!!thanks for the info raymond..i ll more careful in future..
I have to say its almost every weeks I have to perform removing CW from many users pc because the IT admin does not even bother to update it. Its annoying especially seeing the silly At01~13 or 15 running scheduled tasks.
Luckily i perform most of the PC update for WinXP, Vista and Seven. but the most troublesome is working on Window 2000.
what is your malaysian provider?
That’s surprising Raymond, thanks for the tip.
I did helped several of my friends who were infected with Conficker C (I plugged my USB drive into their laptop on purpose then scanned it with MSE). Then I used Windows MSRT to remove the worm. Although removal was successful, the damage is done. Task Manager remained disabled, some applications were missing & some website were blocked.
Thank you Raymond :-)