• Saturday, July 4, 2009

    Home What how to?? Worm deracinate Kido / Downadup

    Worm deracinate Kido / Downadup

    Deracinate Conficker Worm / Downadup / Kido 2 02 2009 Worm?

    Perhaps the word is not familiar for some people. Worm berkerabat still close to the computer virus. Distinguish the most part of the worm is spread through a large network (LAN), making the network slow, and often the main target is the server. Conficker is one of the worm which has been menginfeksi> 9 million computers around the world (source).
    This is a personal experience of the Conficker aka Win32/Conficker.A/B (CA, Microsoft), W32.Downadup (Symantec), W32/Downadup.A (F-Secure), Conficker.A (Panda), Net-Worm. Win32.Kido.bt (Kaspersky) in the office who make around seven dizzy .. Worm Infection techniques exploit this rift security of Windows, known as MS08-067. Technically, this worm spreads in the primary (secondary way is through flash disk) through the buffer overflow weaknesses in the Server Service in Windows. This worm will create a RPC (Remote Procedure Call) request a special code to run on the target computer. Microsoft has issued updates to close this rift, so make sure your Windows is always updated. Once infected, this worm will open a path to a server will instruct the worm to perform this action, the data-taking of your personal data, dab download & install the malware / trojan. Signs of infection:

    1. Message appears Generic Host Process (GHP) error.

    2. Some services such as Windows Automatic Update, Backgorund Intelligent Transfer (bits), Windows Defender is not running.

    3. You can not mengujungi some website antivirus (Symantec, AVG, etc.). But you still visit the website if you know the IP addressnya (type the IP address in the browser).

    Special to the office / network (mainly the use Active Directory):

    1. Often appear account locked out (if this rule is activated). If the server is infected, the account lockout policy automatically reset by the worm.

    2. Domain Controler akan slow to respond to client requests. If you consider Task Manager, the process to CPU is higher than usual. This is because the worm is trying to break the password admin hundreds / thousands of times in sedetik (brute force attack). Enable the Audit Object Directory on the server to know this (for server 2003 see here). So make sure Lockedout Account Policy is enabled, if your server does not wish to give way.

    3. Network as a whole to be slow. conficker-final-thumb

    Technical Cleaning

    1. Install security patches for cleft Windows (KB958644) at: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

    2. Download Microsoft Windows Malicious Software Removal Tool / MSRT (KB890830) from http://www.microsoft.com/security/malwareremove/default.mspx and run to clean up this worm.

    3. Disable autorun (KB953252), because of technical secondary infection of this worm via flash disk: http://support.microsoft.com/kb/953252 & import the following registry key from this page: http://www.us-cert.gov/ cas/techalerts/TA09-020A.html

    4. Update your antivirus, and do the thorough scan.

    Special to the office / network (mainly the use Active Directory):

    1. Because this worm will try to break administrator password to change the network password with a stronger (the case, numbers, punctuation, & at least 6 digits).

    2. Do not login to the computer using a domain account, in particular the network administrator account. Disconnect the infected computer from the network, and log on to the computer with local admin account (this computer), and do the steps above. It is recommended you also change the local admin password with a more secure also.

    3. Specific to a server that does not have local admin (Active Directory), the second step (clean worm) can be done with the CD booting a server with anti-virus.
    I use Avira output (http://www.free-av.de/en/tools/12/avira_antivir_rescue_system.html). Disconnect the network cable from the server, boot & clean with the CD, restart the server, patch Windows (if not already) and run the MSRT to safe.

    4. If you are using WSUS (Windows Server Update Services) make sure all the KB (update) that I mentioned above has to deploy in the entire computer. If not, you have little memory "push" it with the set deadline (eg one week). source: http://www.blaszta.com/blog/2009/01/25/membasmi-worm-conficker-downadup-kido/
    Read more
    Diposkan oleh
    Label:

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)
    semarang jawa tengah indonesia service keyboard service computer komputer kendal bali setting hotspot hacking password mysql protected username jasa setting jual beli
    bobol password phpmyadmin debian 5 lenny ubuntu server surabaya sumatera american inggris access point microtic MikroTik jawa barat yamaha roland casio korg technic floppy disk emulator usb www universal cara ganti broadcast editing wireless Wi-Fi handphone novel health facebook Sepeda Fixie Jual Beli Sepeda Fixie Rose Network Sepeda Fixie Murah Wimax Wimax Indonesia, Long time waktu lorong waktu facebook twitter

    Followers

    Created By Sora Templates | Distributed By Gooyaabi Templates