[guru] CERT advisory a Conficker Worm-rol
DATE: Tue, 31 Mar 2009 12:44:59 +0200
A CERT gyors egymásutánban két figyelmeztetést is kiadott a Conficker
worm-ról, ami rohamosan fertőzi a windows rendszereket az Interneten.
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA09-088A
Conficker Worm Targets Microsoft Windows Systems
Original release date: March 29, 2009
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows
Overview
US-CERT is aware of public reports indicating a widespread
infection of the Conficker worm, which can infect a Microsoft
Windows system from a thumb drive, a network share, or directly
across a network if the host is not patched with MS08-067.
I. Description
The presence of a Conficker infection may be detected if a user is
unable to surf to the following websites:
* http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_ghp_link_conficker_worm
* http://www.mcafee.com
If a user is unable to reach either of these websites, a Conficker
infection may be indicated (the most current variant of Conficker
interferes with queries for these sites, preventing a user from
visiting them). If a Conficker infection is suspected, the
infected system should be removed from the network. Major
anti-virus vendors and Microsoft have released several free tools
that can verify the presence of a Conficker infection and remove
the worm. Instructions for manually removing a Conficker infection
from a system have been published by Microsoft in
http://support.microsoft.com/kb/962007.
II. Impact
A remote, unauthenticated attacker could execute arbitrary code on
a vulnerable system.
III. Solution
US-CERT encourages users to prevent a Conficker infection by
ensuring all systems have the MS08-067 patch (part of Security
Update KB958644, which was published by Miscrosoft in October
2008), disabling AutoRun functionality (see
http://www.us-cert.gov/cas/techalerts/TA09-020A.html), and
maintaining up-to-date anti-virus software.
IV. References
* Virus alert about the Win32/Conficker.B worm -
<http://support.microsoft.com/kb/962007>
* Microsoft Security Bulletin MS08-067 - Critical -
<http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx>
* Microsoft Windows Does Not Disable AutoRun Properly -
<http://www.us-cert.gov/cas/techalerts/TA09-020A.html>
* MS08-067: Vulnerability in Server service could allow remote code
execution -
<http://support.microsoft.com/kb/958644>
* The Conficker Worm -
<http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm>
* W32/Conficker.worm -
<http://us.mcafee.com/root/campaign.asp?cid=54857>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-088A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-088A Feedback VU#827267" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
March 29, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSdAg4XIHljM+H4irAQJ16Af9G3xHegmJB2Nx9u6J3kl8un/2Tz5J40sr
DW/GTU0rvHtXDg/2Xs3Gv2IHYWqBRWG6HjZ1FbuTWbBqHvlWk0QVrjeeihNeXElP
hp+ZRN6y+tHDCPRz1XT2YLE3zDldLv4v2c9YmsIEVdICiQZYe6Y/ECKNDWXcUzNt
EweRdI6/ZsAnyfZU24TxESH0L2/vQ4Qb3bRReCcVK4SWhno4cewsiiM5eAXs2EOP
VcSH6UnEE2V/841IHcCV9i5NM7aO2VDvh1lolsr/HvpWROThKslLX/FO2nIdA78d
ktvdaddRdHhJAWOkErlT8cj3nGXj0g2H1HQcDK8Nua/gEc2zOfog/Q==
=sk7E
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA09-088A
Conficker Worm Targets Microsoft Windows Systems
Original release date: March 29, 2009
Last revised: March 30, 2009
Source: US-CERT
Systems Affected
* Microsoft Windows
Overview
US-CERT is aware of public reports indicating a widespread
infection of the Conficker/Downadup worm, which can infect a
Microsoft Windows system from a thumb drive, a network share, or
directly across a corporate network, if the network servers are not
patched with the MS08-067 patch from Microsoft.
I. Description
Home users can apply a simple test for the presence of a
Conficker/Downadup infection on their home computers. The presence
of a Conficker/Downadup infection may be detected if a user is
unable to surf to their security solution website or if they are
unable to connect to the websites, by downloading detection/removal
tools available free from those sites:
* http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_ghp_link_conficker_worm
* http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx
* http://www.mcafee.com
If a user is unable to reach any of these websites, it may indicate
a Conficker/Downadup infection. The most recent variant of
Conficker/Downadup interferes with queries for these sites,
preventing a user from visiting them. If a Conficker/Downadup
infection is suspected, the system or computer should be removed
from the network or unplugged from the Internet - in the case for
home users.
II. Impact
A remote, unauthenticated attacker could execute arbitrary code on
a vulnerable system.
III. Solution
Instructions, support and more information on how to manually
remove a Conficker/Downadup infection from a system have been
published by major security vendors. Please see below for a few of
those sites. Each of these vendors offers free tools that can
verify the presence of a Conficker/Downadup infection and remove
the worm:
Symantec:
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99
Microsoft:
http://support.microsoft.com/kb/962007
http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx
Microsoft PC Safety hotline at 1-866-PCSAFETY, for assistance.
US-CERT encourages users to prevent a Conficker/Downadup infection by
ensuring all systems have the MS08-067 patch (see
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx),
disabling AutoRun functionality (see
http://www.us-cert.gov/cas/techalerts/TA09-020A.html), and
maintaining up-to-date anti-virus software.
IV. References
* Microsoft Windows Does Not Disable AutoRun Properly -
<http://www.us-cert.gov/cas/techalerts/TA09-020A.html>
* Virus alert about the Win32/Conficker.B worm -
<http://support.microsoft.com/kb/962007>
* Microsoft Security Bulletin MS08-067 - Critical -
<http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx>
* MS08-067: Vulnerability in Server service could allow remote code
execution -
<http://support.microsoft.com/kb/958644>
* The Conficker Worm -
<http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm>
* W32/Conficker.worm -
<http://us.mcafee.com/root/campaign.asp?cid=54857>
* W32.Downadup Removal Tool -
<http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-088A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-088A Feedback VU#827267" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
March 29, 2009: Initial release
March 30, 2009: Included additional details
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSdEYX3IHljM+H4irAQIYGQgAiYr6a3OCj8JFRPhDWwwampacVHYxW2o+
fKkXtHu093UYd8tXWv/crvQzMfMPaH/+zwXhO/pEPqyAh+916EvqVpsMnvhOOJzw
1y7y+aCYtxlS+B8/TXbI0GGjzv8HmmlCOoxg4jz9BggR+fnjVC+gqq0Ml16Z539J
2/TRiidVh+QwIUB7KtsPZU0DZgCFkXBoAWEurd2kpqGP8xkK2M3/N6PN2GfftqSg
Apzc80ikWUCXcA2ppbk0V85bRw3NhIiXmN5EBgQr28ZF2WByaSnCE6irTKN0eTX1
E2q21qIdfjd09BVLWgXRa0kXG8eqZBgt6uulf/yfd9S5pPquz4Cyuw==
=zSHY
-----END PGP SIGNATURE-----
--- End Message ---