January 7, 2009

Worm fighting

As I had suspected, the worm that I had been hit with was a variant of Conflicker. As of this writing Virustotal shows 7 out of 38 detections of a suspicious file I found inside an infected PC. Virustotal is a great site for testing whether a file is actually a virus.

I still couldn't figure out how my machines got infected since I already patched against MS08-067 and MS08-068. However, I don't normally have Windows Update enabled, so it could have been some other Windows vulnerability. Avira AntiVir that I normally use was completely unable to detect the worm too. I sent the sample to Avira for analysis, and after a few hours they updated the virus definition files then AntiVir started to detect the worm as Worm/Kido.DW.

Now instead of complaining of computers crashing, my users were calling in to tell me that AntiVir was popping up all the time and telling them that they have Worm/Kido.DW. So while I was busy scanning our computers, I suddenly found that my notebook was infected with an autorun virus. It appears to also have created the iamfamous.dll Firefox component that steals passwords and also hijacked my DNS. I had no idea where it came from or if it's related to the Conflicker worm but I was able to successfully clean it by using Malwarebytes Anti-Malware. (Avira AntiVir once again failed me, but I also sent a sample to them and they included detection in the next update.)

No comments: