conficker worm

  palinka 12:40 24 Jan 2009

Windows Vista home premium.
I receive regular emails from emsi-soft; the latest warned of the conficker worm and said that a2 v4 would find and deal with it.
I ran a scan with a2 (as I do regularly, and yes, I also keep it updated) and it found conficker on my computer – in an odd place: it was in the files installed a year ago when I bought a SanDisk Cruzer Micro memory stick/flash drive.
Can anyone suggest a) why this worm has not been found in the last year, given that those files have been there all that time and I’ve used a2 several times during that period; or b) is it that the worm has got in since my last scan (5 days ago)and has put itself in this obscure place?
A2 has now removed it, but I’m still puzzled.

  DieSse 15:08 24 Jan 2009

Did the file still have it's original date?

If yes, then it might be a false positive,

If no, them it could have been infected recently.

  cocteau48 15:52 24 Jan 2009

I am not the least surprised at the location of the Conflicker Worm on your system as one of its nasty little quirks is that it infects removable USB devices.

I quote from a recent "Windows Secrets"email:

"How Conficker differs from other worms

In the not-so-good old days, Conficker.A arrived as a Trojan: in order to infect a PC, somebody had to run an infected program on the machine. It could also try to hit your machine directly, but any sort of firewall would thwart that attack. If the infected system was attached to a network, Conficker.A used the hole (that MS08-067 closes) to spread to other computers on the network. This modus operandi is kinda boring but moderately effective.

Conficker.B uses the Conficker.A approach, plus a whole lot more — as a "blended threat," it's an equal-opportunity infecter. The MMPC's TechNet blog offers an excellent, graphical overview of the ways that Conficker.B can get into your network. Here are the main attack vectors:

* Conficker.B uses the old Conficker.A approach: simple Trojans that arrive via e-mail or by downloading an infected program.

* Once a PC on a network is infected, Conficker.B reaches across the network to see whether any of its PCs have not yet patched the MS08-067 hole. After infecting these unprotected PCs, Conficker plugs the MS08-067 hole, presumably so other, similar worms can't get in. What a sneaky buzzard!

* If Conficker.B finds that it can't get into a computer via the MS08-067 hole, it tries to break in by using the standard Windows admin account, entering each of 248 common passwords. This weak password list (which you'll find under the Analysis tab) includes such all-time favorites as admin, mypass, test, foo, 1111, and many others you may have seen before.

* Once Conficker.B gains entry to a networked machine, it drops a copy of itself onto the target's hard drive and creates a scheduled job that runs the infected file. Conficker.B also loads itself onto all accessible shared folders. Ho-hum.

* Finally, Conficker.B scans and infects all removable devices on the system, including USB drives and external hard drives.

That last step intrigues me the most because the person or persons who wrote Conficker gave the USB-drive-infection routine a diabolical little twist. As you might expect, the infection comes in the form of an autorun.inf file, which (usually) runs automatically when the USB stick gets stuck in the computer. But the social engineering in that autorun.inf file is quite remarkable."

  palinka 18:10 24 Jan 2009

DieSse, yes, it still had original date. I also scanned my memory stick and that is OK. I'll now check a disk that contains a file that was previously on that stick.
Thanks for all that cocteau48.

  palinka 12:51 25 Jan 2009

all seems clean now; I'll tick resolved.

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

AMD Ryzen news - release date, UK price, features and specifications

The 12 best apps for drawing and painting on your iPad

Mac power user tips and hidden tricks

Comment faire des captures d’écran sous Windows 10 ?