This is a new virus that is found in December 2008 and announce by Symantec on 09-01-09 and now it widely spading all over the world and make all the computer no network connection. This virus monitors DNS requests to domains containing certain strings and blocks access to those domains so that it will appear that the network request timed out.When trying to enter to another computer over the network , windows will alert that ” No network provider ….” but we still can ping the computer name or IP Address.
W32.Downadup.B creates an autorun.inf file on all mapped drives so that the threat automatically executes when the drive is accessed. The threat then monitors for drives that are connected to the compromised computer in order to create an autorun.inf file as soon as the drive becomes accessible.
So now what to do with it is :
1- Download the removal tool from Symantec website and place it on your desktop.
2- Download the Security patch from microsoft website. ( Choose the file support with your OS).
3- Temporarily Disable System Restore (Windows Me/XP).
5-Update the virus definitions (Symantec).
5- Reboot computer in SafeMode
6-Run the FixDownadup.exe that u just downloaded and let it scan until it found a viruses.
7-Run the Security patch.
8-Reboot your system in normal mode and run the Full System Scan to make sure that no virus present on your computer.
Hope you can solves this problem as me also. For me I spend nearly 1 week until I found the right solution to do that.
Good luck
Using Kaspersky tool
What is Kido?Kido (aka Conficker or Downadup) was first detected in November 2008 as a worm which spreads across local networks and removable storage media. The latest generation of Kido is unable to spread by itself, but like earlier variants, it can update itself by downloading additional code.
Kido has created a powerful botnet of infected machines. It was programmed to update itself on 1st April 2009, and the latest generation of this program is designed to generate 50,000 domain names according to a random algorithm, and then choose 500 of these domains which it can potentially contact to update itself. Kido uses very sophisticated technology. It downloads updates from constantly changing online resources; uses P2P networks as an additional source of downloads; uses strong encryption to prevent interference with its command and control center; and prevents antivirus products from receiving updates.
It remains unclear why the Kido botnet has been created, and how it may be used in the future.
Why is Kido a threat?The huge botnet formed by computers infected by Kido potentially provides cybercriminals with the means to conduct mass DDoS attacks on any Internet resource, to steal confidential data from infected computers and to distribute unsolicited content (e.g. mass spam mailings). It is believed that around five to six million computers around the world are infected by Kido.
Kido initially spread via local networks and removable storage devices. Specifically, it exploited the critical MS08-067 vulnerability patched by Microsoft back in October 2008. However, it’s believed that a significant number of PCs had not been patched by January 2009 when the spread of Kido reached a peak.
More detailed information on how Kido penetrates computers can be found here:
How do I know if my PC is infected?If there are any infected computers on your LAN, the volume of network traffic will increase due to a network attack conducted by infected computers. Antivirus applications with an enabled firewall will report an Intrusion.Win.NETAPI.buffer-overflow.exploit attack.
If you suspect that your computer is infected, try to open your browser and navigate to your favorite search engine. If the page opens, try to open www.kaspersky.com or www.microsoft.com – if the page does not open, then the site has probably been blocked by a malicious program. The full list of resources blocked by Kido can be found here.
I am a LAN administrator. How can I contain and disinfect a Kido infection?You can remove Kido with the help of a dedicated utility, KKiller.exe. To prevent workstations and network servers from becoming infected you should:
How can I remove Kido if I am a home user?Download KKiller_v3.4.1.zip and unpack it to a separate folder on the infected PC. Run KKiller.exe. When the scan is finished, a command line window may still be open; simply press any key to close it.
If you are running KKiller.exe on a computer which has Agnitum Outpost Firewall installed, you should reboot the computer once the KKiller utility has finished running.
Recommendations for removing Kido are also available on the Kaspersky Lab technical support site.
Eset Smart Security Tools for conficker
Information and Conficker Removal Tool.
No need to panic. But it´s good to know how to stay secured.
We recommend changing your system passwords to admin accounts (use a combination of letters and numbers)
ESET assumes that nothing dramatic will happen, but we will see change in the communication protocol of Conficker worm – instead of hundreds of domains, it´ll contact up to 50 000 domains.
Download an one-off ESET application (again, using a non-infected PC) which will remove the worm. http://download.eset.com/special/EConfickerRemover.exe
W32/Conficker.worm exploits the MS08-067 vulnerability in Microsoft Windows Server Service. If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. Machines should be patched and rebooted to clean the system, then rebooted again to prevent reinfection.
McAfee has developed a utility that will assess for the presence of the Conficker worm and identify which systems are already infected. We recommend that you download the McAfee Conficker Detection Tool now.
MD5: F43F911481AD45C45568B182FB2F78D4
The McAfee team would like to thank Felix Leder and Tillmann Werner whose original research forms the basis of this utility.
All questions, comments, and inquiries regarding McAfee free tools will only be answered by emailing freetools@mcafee.com. Although McAfee does not offer technical or customer support for these tools, your feedback and bug reporting is appreciated.
BitDefender Labs has detected a new and more aggressive Downadup version. It spreads using a Windows RPC Server Service vulnerability and is called Win32.Worm.Downadup.Gen.
The new version is more resilient to disinfection. Once the system is compromised, the worm disables Windows Update and blocks access to most of the anti-virus websites in order to hinder the user to disinfect his machine.
BitDefender is the first to offer a free tool which disinfects all versions of Downadup. This domain is the first to serve a removal tool without being blocked by the e-threat.
The worm itself is not new, it made its first appearance late November 2008, known under the names Conficker or Kido as well exploiting the vulnerability described in the Microsoft security bulletin MS08-067. After successful exploitation it used to install rogue security software on the infected machine.
Download and run the tools provided below to rid your computer or newtork of this e-threat.
Windows Update has been disabled.
Presence of autorun.inf files in the root of mapped drives pointing to a .dll file inside the RECYCLER folder of the drive.
W32.Downadup.B creates an autorun.inf file on all mapped drives so that the threat automatically executes when the drive is accessed. The threat then monitors for drives that are connected to the compromised computer in order to create an autorun.inf file as soon as the drive becomes accessible.
So now what to do with it is :
1- Download the removal tool from Symantec website and place it on your desktop.
2- Download the Security patch from microsoft website. ( Choose the file support with your OS).
3- Temporarily Disable System Restore (Windows Me/XP).
5-Update the virus definitions (Symantec).
5- Reboot computer in SafeMode
6-Run the FixDownadup.exe that u just downloaded and let it scan until it found a viruses.
7-Run the Security patch.
8-Reboot your system in normal mode and run the Full System Scan to make sure that no virus present on your computer.
Hope you can solves this problem as me also. For me I spend nearly 1 week until I found the right solution to do that.
Good luck
Using Kaspersky tool
What is Kido?Kido (aka Conficker or Downadup) was first detected in November 2008 as a worm which spreads across local networks and removable storage media. The latest generation of Kido is unable to spread by itself, but like earlier variants, it can update itself by downloading additional code.
Kido has created a powerful botnet of infected machines. It was programmed to update itself on 1st April 2009, and the latest generation of this program is designed to generate 50,000 domain names according to a random algorithm, and then choose 500 of these domains which it can potentially contact to update itself. Kido uses very sophisticated technology. It downloads updates from constantly changing online resources; uses P2P networks as an additional source of downloads; uses strong encryption to prevent interference with its command and control center; and prevents antivirus products from receiving updates.
It remains unclear why the Kido botnet has been created, and how it may be used in the future.
Why is Kido a threat?The huge botnet formed by computers infected by Kido potentially provides cybercriminals with the means to conduct mass DDoS attacks on any Internet resource, to steal confidential data from infected computers and to distribute unsolicited content (e.g. mass spam mailings). It is believed that around five to six million computers around the world are infected by Kido.
Kido initially spread via local networks and removable storage devices. Specifically, it exploited the critical MS08-067 vulnerability patched by Microsoft back in October 2008. However, it’s believed that a significant number of PCs had not been patched by January 2009 when the spread of Kido reached a peak.
More detailed information on how Kido penetrates computers can be found here:
- http://www.viruslist.com/en/viruses/encyclopedia?virusid=21782725
- http://www.viruslist.com/en/viruses/encyclopedia?virusid=21782733
- http://www.viruslist.com/en/viruses/encyclopedia?virusid=21782749
- http://www.viruslist.com/en/viruses/encyclopedia?virusid=21782790
How do I know if my PC is infected?If there are any infected computers on your LAN, the volume of network traffic will increase due to a network attack conducted by infected computers. Antivirus applications with an enabled firewall will report an Intrusion.Win.NETAPI.buffer-overflow.exploit attack.
If you suspect that your computer is infected, try to open your browser and navigate to your favorite search engine. If the page opens, try to open www.kaspersky.com or www.microsoft.com – if the page does not open, then the site has probably been blocked by a malicious program. The full list of resources blocked by Kido can be found here.
I am a LAN administrator. How can I contain and disinfect a Kido infection?You can remove Kido with the help of a dedicated utility, KKiller.exe. To prevent workstations and network servers from becoming infected you should:
- Install patches for the MS08-067, MS08-068 and MS09-001 vulnerabilities.
- Make sure you have a strong administrator password – it should have a minimum of six characters, including upper case, lower case, numbers and non alphanumeric characters. Disable autorun for all removable media. Disable Task Scheduler.
How can I remove Kido if I am a home user?Download KKiller_v3.4.1.zip and unpack it to a separate folder on the infected PC. Run KKiller.exe. When the scan is finished, a command line window may still be open; simply press any key to close it.
If you are running KKiller.exe on a computer which has Agnitum Outpost Firewall installed, you should reboot the computer once the KKiller utility has finished running.
Recommendations for removing Kido are also available on the Kaspersky Lab technical support site.
Eset Smart Security Tools for conficker
Information and Conficker Removal Tool.
No need to panic. But it´s good to know how to stay secured.
What is Conficker?
The worm’s initial version in the end of 2008 contained a link to a domain known as the center for the spread of spyware and false anti-virus products. It exploits a known vulnerability in Windows OS, which only contributes to its spreading on a massive scale. The authors of the worm have programmed it to spread not only via the internet by exploiting vulnerabilities in the Windows OS, but also to propagate via exchangeable media. The worm is programmed in such a way as to be remotely controllable, once infected PCs become a part of a large botnet – a network of PCs used to send spam and/or other dangerous forms of malware. Computer security experts agree that Win32/Conficker.X, (also dubbed by some vendors as Conficker.C, Conficker.D, Downadup or Kido) poses even a greater threat than its predecessors.Why April 1?
The new variant of Conficker is unique in that it is programmed to radically increase the number of internet domains the worm checks in to for instructions come April 1st. While the existing variants of the worm check in to domains numbering in the hundreds a day, after April 1st, this number is expected to climb dramatically to as much as 50, 000 a day. As yet, computer security experts do not have a clear idea as to the nature of the command for those PCs, which have already been infiltrated.What capabilities has Win32/Conficker.X?
- modifies DNS, blocking all tools related to operating system security
- blocks or terminates security software applications
- has the ability to communicate within peer-to-peer network (P2P)
- starting April 1st, 2009 it will check in for instructions from up to 50 000 domains a day
How to stay secured?
Have updated Windows OS. Download Windows patches from the following sites – MS08-067 , MS08-068 a MS09-001. Install ESET Smart Security 4 or ESET NOD32 Antivirus 4. Due to advanced heuristics used in a proccess of malware detection it detects and removes Conficker worm as well as other malware.We recommend changing your system passwords to admin accounts (use a combination of letters and numbers)
Conficker Removal Tool
If your PC wasn´t secured and you´re not sure about its safety status, use our free scanning tool ESET Online Scanner. If it alerts you on Conficker worm please follow the instructions:- Download an one-off ESET application (again, using a non-infected PC) which will remove the worm.
- Use an uninfected PC to download the respective Windows patches from the follow MS08-067 , MS08-068 a MS09-001
- Install ESET Smart Security 4 or ESET NOD32 Antivirus 4.
- Reset your system passwords to admin accounts using more sophisticated ones.
What could I expect after April 1?
The main goal of the authors of the worm is to construct and consolidate a botnet of unprecedented proportions that can be exploited for a massive attack against the internet infrastructure or for a mass-scale espionage.ESET assumes that nothing dramatic will happen, but we will see change in the communication protocol of Conficker worm – instead of hundreds of domains, it´ll contact up to 50 000 domains.
Download an one-off ESET application (again, using a non-infected PC) which will remove the worm. http://download.eset.com/special/EConfickerRemover.exe
McAfee Conficker Detection Tool
W32/Conficker.worm exploits the MS08-067 vulnerability in Microsoft Windows Server Service. If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. Machines should be patched and rebooted to clean the system, then rebooted again to prevent reinfection.McAfee has developed a utility that will assess for the presence of the Conficker worm and identify which systems are already infected. We recommend that you download the McAfee Conficker Detection Tool now.
MD5: F43F911481AD45C45568B182FB2F78D4
The McAfee team would like to thank Felix Leder and Tillmann Werner whose original research forms the basis of this utility.
All questions, comments, and inquiries regarding McAfee free tools will only be answered by emailing freetools@mcafee.com. Although McAfee does not offer technical or customer support for these tools, your feedback and bug reporting is appreciated.
Remove Downadup from infected computers! Bitdefender Tools
Downadup (or Conficker) is a network worm that takes advantage of vulnerabilities in Windows to spread. Its removal is complicated by the fact that it blocks many known antivirus software and associated websites.BitDefender Labs has detected a new and more aggressive Downadup version. It spreads using a Windows RPC Server Service vulnerability and is called Win32.Worm.Downadup.Gen.
The new version is more resilient to disinfection. Once the system is compromised, the worm disables Windows Update and blocks access to most of the anti-virus websites in order to hinder the user to disinfect his machine.
BitDefender is the first to offer a free tool which disinfects all versions of Downadup. This domain is the first to serve a removal tool without being blocked by the e-threat.
The worm itself is not new, it made its first appearance late November 2008, known under the names Conficker or Kido as well exploiting the vulnerability described in the Microsoft security bulletin MS08-067. After successful exploitation it used to install rogue security software on the infected machine.
Download and run the tools provided below to rid your computer or newtork of this e-threat.
Win32.Worm.Downadup.Gen
( W32.Downadup, W32/Worm.AHGV, Net-Worm.Win32.Kido.bg )| Spreading: | high | |
| Damage: | medium | |
| Size: | varies | |
| Discovered: | 2008 Dec 31 |
SYMPTOMS:
Connection times out while trying to access various antivirus-related websites.Windows Update has been disabled.
Presence of autorun.inf files in the root of mapped drives pointing to a .dll file inside the RECYCLER folder of the drive.
Comments
Post a Comment