Is Anybody Concerned About the Conficker C Worm

[MSFixR]

http://www.ksdk.com/news/local/story...171085&catid=3

http://www.symantec.com/security_res...408-99&tabid=2

The second link contains a removal tool but according to the first link, if you can access symantec or other antivirus web site, you are not infected.

[mced]

Quote:

Originally Posted by MSFixR

The second link contains a removal tool but according to the first link, if you can access symantec or other antivirus web site, you are not infected.

If you cannot access any antivirus web site, there's a trick to bypass the virus blocking:

1. Get the antivirus web site's IP. Just go to a nslookup service (like http://www.kloth.net/services/nslookup.php ) or use your own nslookup tool (included with every modern Windows, Linux or MacOS, through the command line).

For example, a www.symantec.com query, returns this:

Code:

 DNS server handling your query: localhost
 DNS server's address:	127.0.0.1#53
 
Non-authoritative answer:
 www.symantec.com	canonical name = www.symantec.d4p.net.
 www.symantec.d4p.net	canonical name = symantec.georedirector.akadns.net.
 symantec.georedirector.akadns.net	canonical name = a568.d.akamai.net.
 Name:	a568.d.akamai.net
 Address: 84.53.182.152
 Name:	a568.d.akamai.net
 Address: 84.53.182.154
 Name:	a568.d.akamai.net
 Address: 84.53.182.155
 Name:	a568.d.akamai.net
 Address: 84.53.182.161
 Name:	a568.d.akamai.net
 Address: 84.53.182.162
 Name:	a568.d.akamai.net
 Address: 84.53.182.179
 Name:	a568.d.akamai.net
 Address: 84.53.182.192
 Name:	a568.d.akamai.net
 Address: 84.53.182.209

Every "Address" after a "Name" is a Symantec's site IP.

Now, there are two alternatives:

2a. Just copy and paste any IP on your browser's location bar. If it works, that's it.

2b. If it doesn't work, you must open and edit your hosts file. On a XP machine, it's located here:

%SystemRoot%\system32\drivers\etc\ (other locations: read Wikipedia "hosts" article: http://en.wikipedia.org/wiki/Hosts_file )

The hosts file can be opened with Notepad or any other plain text editor (Microsoft Word is *not* a plain text editor).

Once opened, add a line at the ending, like this one:

Code:

84.53.182.152 www.symantec.com

That is:
- Any IP in the nslookup list.
- A blank space (can be two or two million, but at least there must be one).
- The site you want to enter (without the http:// heading).

Save and close the hosts file. All done.

[MSFixR]

Great info, mced. I've checked several of our high end machines and have not found it.

[mced]

U.K. parliament computers get Confickered

Too bad for them: that's called negligence. Although Conficker.C has got very sophisticated stealth and anti-antivirus techniques, its infection method is absolutely silly. And it can be avoided just by doing these little things:

- Keeping Windows updates... up to date, that's it. Microsoft released a patch in october 2008. A lot of time without updating, don't you think?
- Using a gateway/router properly configured (forget DMZ) and/or a software firewall.
- Disabling the "autorun" feature. Yes, autorunning is very handy. And very dangerous. Even when I was using Windows 98 (a lot of time ago), I had "autorun" disabled.

How to disable Autorun (US-CERT)

[Val]

mced ...

you are the guy!!!
Marry me!

[mced]

Val: If you look like *somebody* I'm thinking of, I will prepare the wedding reception in the next five hours...

[Val]

No, yo no soy quien tu piensas.

[Plastic Flute]

I just thought it was an Aprils fool joke.

[Plastic Flute]

TY MC.

Love your avi.

[charlespt]

It sounds dangerous but fortunately I haven't been infected by it until now