Main Area and Open Discussion > Living Room

Conficker - The Facts

<< < (3/14) > >>

Ehtyar:
Nice links Phil.

i have a log file named "KB958644.log" to show that i had seemed to apply the patch some time back, so do i have to be worried about getting infected by the 'C' variant?
-lanux128 (March 30, 2009, 08:01 PM)
--- End quote ---
The patch will prevent installation of Conficker from over the internet. However, if you use a weak password you're still at risk of Conficker guessing it from another machine on your LAN.

Ehtyar.

Ehtyar:
The Windows Secrets article that Phil lined to above mentions that most A-V sites and the MS Update site will not be reachable if a machine is infected with Conficker, but you can still get there via the IP addresses for htose same sites. So it would be a good idea to get ahold of those IP addresses sometime ahead of 4/1.

Jim
-J-Mac (March 30, 2009, 10:52 PM)
--- End quote ---
I'm happy to resolve the entire and post it, but I can't find a complete list of what gets blocked. Anyone have one?

Ehtyar.

J-Mac:
The Windows Secrets article that Phil lined to above mentions that most A-V sites and the MS Update site will not be reachable if a machine is infected with Conficker, but you can still get there via the IP addresses for htose same sites. So it would be a good idea to get ahold of those IP addresses sometime ahead of 4/1.

Jim
-J-Mac (March 30, 2009, 10:52 PM)
--- End quote ---
I'm happy to resolve the entire and post it, but I can't find a complete list of what gets blocked. Anyone have one?

Ehtyar.
-Ehtyar (March 30, 2009, 11:18 PM)
--- End quote ---

Actually it blocks access to any URLs containing certain strings. Here is the list of strings that it blocks:

In its attempt to prevent access to security-related sites for information, help or software updates, the worm attempts to block running applications from accessing URLs containing any of the following strings:

avg.
avp.
bit9.
ca.
cert.
gmer.
kav.
llnw.
llnwd.
msdn.
msft.
nai.
sans.
vet.
agnitum
ahnlab
anti-
antivir
arcabit
avast
avgate
avira
bothunter
castlecops
ccollomb
centralcommand
clamav
comodo
computerassociates
conficker
cpsecure
cyber-ta
db networkassociates
defender
drweb
dslreports
emsisoft
esafe
eset
etrust
ewido
f-prot
f-secure
fortinet
free-av
freeav
gdata
grisoft
hackerwatch
hacksoft
hauri
ikarus
jotti
k7computing
kaspersky
malware
mcafee
microsoft
mirage
mitre
msftncsi
msmvps
mtc.sri
nod32
norman
norton
onecare
panda
pctools
prevx
ptsecurity
quickheal
removal
rising
rootkit
safety.live
securecomputing
secureworks
sophos
spamhaus
spyware
sunbelt
symantec
technet
threat
threatexpert
trendmicro
trojan
virscan
virus
wilderssecurity
windowsupdate
--- End quote ---

The above list is from CA's page on Conficker, located here.

Hope this helps.

Jim

Ehtyar:
C-R-A-P. Anyone have any suggestions on what to resolve? :S

As a universal solution what we want is a utility that will resolve domain names without using the Windows API. Dig and Host will both do it, but neither are particularly user-friendly.

Thanks J-Mac.

Ehtyar.

f0dder:
How does conficker block those URLs? Simply hooking the winsock DNS resolving functions, or setting the machine's DNS server?

Navigation

[0] Message Index

[#] Next page

[*] Previous page