Monday, March 30, 2009

US-CERT Cyber Security Alert SA09-088A -- Conficker Worm Targets Microsoft Windows Systems

-------- Original Message --------
Subject: US-CERT Cyber Security Alert SA09-088A -- Conficker Worm Targets Microsoft Windows Systems
Date: Mon, 30 Mar 2009 15:22:39 -0400
From: US-CERT Alerts <>
Organization: US-CERT - +1 202-205-5266

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1                       National Cyber Alert System                    Cyber Security Alert SA09-088A   Conficker Worm Targets Microsoft Windows Systems     Original release date: March 29, 2009    Last revised: March 30, 2009    Source: US-CERT   Systems Affected       * Microsoft Windows   Overview     US-CERT is aware of public reports indicating a widespread    infection of the Conficker/Downadup worm, which can infect a    Microsoft Windows system from a thumb drive, a network share, or    directly across a corporate network, if the network servers are not    patched with the MS08-067 patch from Microsoft.   Solution     Instructions, support and more information on how to manually    remove a Conficker/Downadup infection from a system have been    published by major security vendors.  Please see below for a few of    those sites. Each of these vendors offers free tools that can    verify the presence of a Conficker/Downadup infection and remove    the worm:     Symantec:     Microsoft:     Microsoft PC Safety hotline at 1-866-PCSAFETY, for assistance.     US-CERT encourages users to prevent a Conficker/Downadup infection by    ensuring all systems have the MS08-067 patch (see,    disabling AutoRun functionality (see, and    maintaining up-to-date anti-virus software.   Description     Home users can apply a simple test for the presence of a    Conficker/Downadup infection on their home computers.  The presence    of a Conficker/Downadup infection may be detected if a user is    unable to surf to their security solution website or if they are    unable to connect to the websites, by downloading detection/removal    tools available free from those sites:        *    *    *        If a user is unable to reach any of these websites, it may indicate    a Conficker/Downadup infection.  The most recent variant of    Conficker/Downadup interferes with queries for these sites,    preventing a user from visiting them.  If a Conficker/Downadup    infection is suspected, the system or computer should be removed    from the network or unplugged from the Internet - in the case for    home users.   References   * Microsoft Windows Malicious Software Removal Tool -    <>   * Microsoft Updates Website -    <>   * US-CERT Technical Cyber Security Alert TA09-088A -    <>   * Virus alert about the Win32/Conficker.B worm -    <>   * The Conficker Worm -    <>   * W32/Conficker.worm -    <>   * Microsoft Automatic Updates -    <>   ____________________________________________________________________     The most recent version of this document can be found at:       <>  ____________________________________________________________________     Feedback can be directed to US-CERT Technical Staff. Please send    email to <> with "SA09-088A Feedback VU#827267" in    the subject.  ____________________________________________________________________     For instructions on subscribing to or unsubscribing from this    mailing list, visit <>.  ____________________________________________________________________     Produced 2009 by US-CERT, a government organization.     Terms of use:       <>  ____________________________________________________________________  Revision History      March 29, 2009: Initial release   March 30, 2009: Included additional details   -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux)  iQEVAwUBSdEbJXIHljM+H4irAQI0Nwf9GrAGb6PVq0Q4iBYVbWqmMtBohJFCJjqJ bUE5UenapUQE/DQ3uig7jJi/FJV9eWDK0j6y8nBQV0C9V+p9233Y+rHkyAhTGAep PBFStBggwnO2fxB6/SG3d/N3omTM/zzz9g6Yjyvvc7x5IS/S11hjuiqYuE/nrRX1 uYj6RbtKoXAgX7+sofiHgn5Opr0nfIaRNJ/sJpHCMYtW270Byg7NkwI4z+o93n6j q7C1xfY77+kvuhS77Y3fHxIjJpR4AFYaCmygdy0B0TOqh00ULcDcS1L9fQ7hTWp7 mjCzzqA0QNG3WDKfSI9pD+JfMVjwYomdwd9ribKcYYLAkS7/DK6bxQ== =xw9l -----END PGP SIGNATURE----- 

Some Interesting View Points