Need info on computer worm

[Anikait]

hello friends,

Today, I heard about the computer worm called Conficker. I want to know how dangerous this conficker worm is ? What are its threats ? And how to prevent it from entering our system or how to deal with it ?

thank you...

[Spyrus]

Conficker is a computer worm that surfaced in October 2008 and targets the Microsoft Windows operating system.

The worm exploits a previously patched vulnerability in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, Windows 7 Beta, and Windows Server 2008 R2 Beta.

The worm has been unusually difficult for network operators and law enforcement to counter because of its combined use of advanced malware techniques.

[Zachary]

Three main variants of the Conficker worm are known and have been dubbed :
Conficker A
Conficker B
Conficker C.

They were discovered on the following dates -
Conficker A - 21 November 2008
Conficker B - 29 December 2008
Conficker C - 4 March 2009

[Big Fish]

Initial infection

• Variants A and B exploit a vulnerability in the Server Service on Windows computers, in which an already-infected source computer uses a specially-crafted remote procedure call request to force a buffer overflow and execute shellcode on the target computer.[8] On the source computer, the worm runs an HTTP server on a port between 1024 and 10000; the target shellcode connects back to this HTTP server to download a copy of the worm in DLL form, which it then runs as a service via svchost.exe.
  
• Variant B can remotely execute copies of itself through the ADMIN$ share on computers visible over NetBIOS. If the share is password-protected, it will attempt a brute force dictionary attack, potentially generating large amounts of network traffic.
  
• Variant C places a copy of itself on any attached removable media (such as USB flash drives), from which it can then infect new hosts through the Windows AutoRun mechanism.

Effect

Upon infection, the worm saves a copy of its DLL form to a random filename in the Windows system folder, then arranges to load itself thereafter at boot as a system service with a randomly generated name.

The worm then resets System Restore points and disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting.
Processes matching a predefined list of antiviral, diagnostic or system patching tools are watched for and terminated.

Symptoms

• Account lockout policies being reset automatically.
• Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Error Reporting Services disabled.
• Domain controllers responding slowly to client requests.
• Unusual amounts of traffic on local area networks.
• Websites related to antivirus software becoming inaccessible.

[Shen]

Automated detection

The worm makes several in-memory patches to NetBIOS-related DLLs in order to open re-infection backdoors.
On March 27, 2009 Dan Kaminsky, Tillmann Werner and Felix Leder discovered that this gives infected hosts a detectable signature when scanned remotely. Signature updates for a number of network scanning applications are now available including NMap and Nessus.

[Spyrus]

Conficker is also known as Downup, Downadup and Kido.