-
May 22nd, 2009, 05:02 AM
#1
Conficker related virus?
We had a few people come in last week to our repair shop with the same malware. The malware was called Security (something) and on the same machines, conflicker was found. This malware would block any programs from running, reporting that it was infected and would prompt to download AV software. At any rate, I wanted to present the resolution I found.
Pretty much run quickkill and combofix. Because there was a brief delay before a program would be killed by the malware I found that if I ran quickkill and hit "Y" really fast it was enough time to kill the process. I later discovered that there is a script to auto confirm quickkill when launched. That's my story. I know it's simple and many of the brains here would have figured this out on their own, but I hope this helps someone else out.
Notes:
For batch scripting, a "-q" parameter will supress this warning and just autokill. Run the program with a "-?" for the other option (exemption file override).
http://www.anappaday.com/downloads/2...quickkill.html
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
-
May 22nd, 2009, 08:37 AM
#2
Wasn't it "Spyware Protect 2009"?
http://news.zdnet.co.uk/security/0,1...9640215,00.htm
BTW Bob, it is "Conficker" so I have edited the title. It is also known as "Downadub"
Last edited by nihil; May 22nd, 2009 at 08:52 PM.
-
May 22nd, 2009, 08:52 PM
#3
Yes, that's it. I guess it's old news then, but we hadn't seen that infection come in before and we have had 5 come in so far this week. Searched fixes didn't solve the problem so I just wanted to put this out in the cloud.
-
May 22nd, 2009, 09:16 PM
#4
Actually you have been seeing a more recent variation.
Conficker/Downadub created an enormous botnet that in its various morphs, possibly infected as many as 15,000,000 machines (not all at the same time) but never seemed to actually "do" anything until recently.
Could be that parts of the botnet are being sold off for scams like this scareware?
That would explain why they appear in different places at different times?
I certainly haven't encountered it being used "in anger" yet so it is a useful heads up.
Cheers
-
September 16th, 2009, 11:13 AM
#5
Originally Posted by CyberB0b
We had a few people come in last week to our repair shop with the same malware. The malware was called Security (something) and on the same machines, conflicker was found. This malware would block any programs from running, reporting that it was infected and would prompt to download AV software. At any rate, I wanted to present the resolution I found.
Pretty much run quickkill and combofix. Because there was a brief delay before a program would be killed by the malware I found that if I ran quickkill and hit "Y" really fast it was enough time to kill the process. I later discovered that there is a script to auto confirm quickkill when launched. That's my story. I know it's simple and many of the brains here would have figured this out on their own, but I hope this helps someone else out.
Notes:
For batch scripting, a "-q" parameter will supress this warning and just autokill. Run the program with a "-?" for the other option (exemption file override).
http://www.anappaday.com/downloads/2...quickkill.html
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
I don't think the application you found is really a malware, just a Rogue Antivirus, probably 1 out of 100000 payloads Conficker installs to earn some money
Originally Posted by nihil
Also known as Downandup & Kido
silent play in the shadow of power...
Similar Threads
-
By E5C4P3 in forum AntiVirus Discussions
Replies: 12
Last Post: April 30th, 2013, 08:05 PM
-
By Spyder32 in forum The Security Tutorials Forum
Replies: 18
Last Post: September 3rd, 2004, 11:23 PM
-
By foxdie in forum AntiVirus Discussions
Replies: 11
Last Post: April 4th, 2004, 02:52 AM
-
By ahmedmamuda in forum AntiVirus Discussions
Replies: 2
Last Post: March 20th, 2002, 02:03 AM
-
By 3ntropy in forum AntiOnline's General Chit Chat
Replies: 10
Last Post: March 4th, 2002, 11:32 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|