RE: Bls: [balikpapan-ict] Re: Windows-Norman-W32/Conficker.E

[=-Titah Supriadi-=]

W32.Downadup - Removal
Risk Level 2: Low

Download Removal Tool | Printer Friendly Page

    * SUMMARY
    * TECHNICAL DETAILS
    * REMOVAL

Discovered: November 21, 2008
Updated: November 24, 2008 9:37:07 AM
Also Known As: Win32/Conficker.A [Computer Associates], W32/Downadup.A
[F-Secure], Conficker.A [Panda Software], Net-Worm.Win32.Kido.bt [Kaspersky]
Type: Worm
Infection Length: 62,976 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows
Vista, Windows NT, Windows Server 2003, Windows 2000
CVE References: CVE-2008-4250

Removal using the W32.Downadup Removal Tool
Symantec Security Response has developed a removal tool to clean the
infections of W32.Downadup. Use this removal tool first, as it is the
easiest way to remove this threat.


Manual Removal
The following instructions pertain to all current and recent Symantec
antivirus products, including the Symantec AntiVirus and Norton AntiVirus
product lines.

   1. Disable System Restore (Windows Me/XP).
   2. Update the virus definitions.
   3. Run a full system scan.
   4. Delete any values added to the registry.


For specific details on each of these steps, read the following
instructions.

1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you
temporarily turn off System Restore. Windows Me/XP uses this feature, which
is enabled by default, to restore the files on your computer in case they
become damaged. If a virus, worm, or Trojan infects a computer, System
Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from
modifying System Restore. Therefore, antivirus programs or tools cannot
remove threats in the System Restore folder. As a result, System Restore has
the potential of restoring an infected file on your computer, even after you
have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even
though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows
documentation, or one of the following articles:

    * How to disable or enable Windows Me System Restore
    * How to turn off or turn on Windows XP System Restore


Note: When you are completely finished with the removal procedure and are
satisfied that the threat has been removed, reenable System Restore by
following the instructions in the aforementioned documents.

For additional information, and an alternative to disabling Windows Me
System Restore, see the Microsoft Knowledge Base article: Antivirus Tools
Cannot Clean Infected Files in the _Restore Folder (Article ID: Q263455).

2. To update the virus definitions
Symantec Security Response fully tests all the virus definitions for quality
assurance before they are posted to our servers. There are two ways to
obtain the most recent virus definitions:

    * Running LiveUpdate, which is the easiest way to obtain virus
definitions.

      If you use Norton AntiVirus 2006, Symantec AntiVirus Corporate Edition
10.0, or newer products, LiveUpdate definitions are updated daily. These
products include newer technology.

      If you use Norton AntiVirus 2005, Symantec AntiVirus Corporate Edition
9.0, or earlier products, LiveUpdate definitions are updated weekly. The
exception is major outbreaks, when definitions are updated more often.


    * Downloading the definitions using the Intelligent Updater: The
Intelligent Updater virus definitions are posted daily. You should download
the definitions from the Symantec Security Response Web site and manually
install them. 


The latest Intelligent Updater virus definitions can be obtained here:
Intelligent Updater virus definitions. For detailed instructions read the
document: How to update virus definition files using the Intelligent
Updater.

3. To run a full system scan

   1. Start your Symantec antivirus program and make sure that it is
configured to scan all the files.

      For Norton AntiVirus consumer products: Read the document: How to
configure Norton AntiVirus to scan all files.

      For Symantec AntiVirus Enterprise products: Read the document: How to
verify that a Symantec Corporate antivirus product is set to scan all files.


   2. Run a full system scan.
   3. If any files are detected, follow the instructions displayed by your
antivirus program.

Important: If you are unable to start your Symantec antivirus product or the
product reports that it cannot delete a detected file, you may need to stop
the risk from running in order to remove it. To do this, run the scan in
Safe mode. For instructions, read the document, How to start the computer in
Safe Mode. Once you have restarted in Safe mode, run the scan again.


After the files are deleted, restart the computer in Normal mode and proceed
with the next section.

Warning messages may be displayed when the computer is restarted, since the
threat may not be fully removed at this point. You can ignore these messages
and click OK. These messages will not appear when the computer is restarted
after the removal instructions have been fully completed. The messages
displayed may be similar to the following:

Title: [FILE PATH]
Message body: Windows cannot find [FILE NAME]. Make sure you typed the name
correctly, and then try again. To search for a file, click the Start button,
and then click Search.

4. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before
making any changes to it. Incorrect changes to the registry can result in
permanent data loss or corrupted files. Modify the specified subkeys only.
For instructions refer to the document: How to make a backup of the Windows
registry.

   1. Click Start > Run.
   2. Type regedit
   3. Click OK.

      Note: If the registry editor fails to open the threat may have
modified the registry to prevent access to the registry editor. Security
Response has developed a tool to resolve this problem. Download and run this
tool, and then continue with the removal.

   4. Navigate to and delete the following registry entry:

 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\"Ser
viceDll" = "[PATH OF WORM EXECUTABLE]"

   5. Exit the Registry Editor.

      Note: If the risk creates or modifies registry subkeys or entries
under HKEY_CURRENT_USER, it is possible that it created them for every user
on the compromised computer. To ensure that all registry subkeys or entries
are removed or restored, log on using each user account and check for any
HKEY_CURRENT_USER items listed above.

Writeup By: Takayoshi Nakayama and Sean Kiernan
Technical Details
Search Threats
Search by name
Example: w32.beagle...@mm
Norton Internet Security / Norton AntiVirus 2009
Windows Vista Security

Removal Toolnys
http://www.symantec.com/security_response/writeup.jsp?docid=2004-050614-0532
-99


-----Original Message-----
From: rian hidayat [mailto:mailboxrianhida...@gmail.com] 
Sent: Tuesday, January 20, 2009 8:38 AM
To: balikpapan-ict@googlegroups.com
Subject: Re: Bls: [balikpapan-ict] Re: Windows-Norman-W32/Conficker.E


Sumber : http://obengware.com/news/index.php?id=3741

Varian Conficker diperkirakan menginfeksi ribuan computer


 New Windows worm Downad.a, Conficker.a atau Downadup sedang membangun
botnet skala besar



Date 13/01/2009
. Mulai digunakan untuk tugas lain oleh pembuatnya.

Worm Conficker  muncul di akhir November 2008, tetapi mulai muncul
versi varian yang telah menginfeksi ribuan computer.
Worm Conficker  menyerang OS Microsoft Windows Server dan khusus
menyerang bagian RPC.

Setelah masuk, Worm juga menyebar melalui jaringan LAN, dan USB
seperti player MP3 dan Flashdrive.
Informasi terbaru, tugas Worm Conficker  mulai digunakan untuk
mendownload malware lain dari sipembuatnya.

Untuk para Admin IT diharapkan mengambil langkah dibawah ini

Corporate IT Administrators check their machines for possible
vulnerabilities.
Servers and Workstations be patched by following the Microsoft
Bulletin related to this vulnerability, available here
Disinfect affected machines using Panda Security's Malware Radar for
corporate networks, or ActiveScan for personal computers.
Disable AutoRun for USB devices
Make sure that all antivirus and security solutions are updated to
their latest product version and signature file version.


=======================================
Sumber : http://www.metrobalikpapan.co.id/berita/index.asp?id=14289

Minggu, 11 Januari 2009
Langkah Pencegahan Virus Conficker

WORM Win32/ Conficker A menyerang komputer di jaringan yang memiliki
celah keamanan RPC Dcom 3 yang belum di-patch. Jika berhasil, maka
akan terdownload file virus ke komputer korban.
Conficker dapat melumpuhkan System Restore dengan cara mereset
"Restore Point" guna mencegah korbannya membasmi virus ini dengan
mengembalikan Restore Point. Virus ini juga akan menyebabkan matinya
Internet connection sharing. Untuk mencegah virus ini menginfeksi
lebih banyak komputer, pastikan Anda melakukan langkah berikut ini:

1. Pastikan virus tersebut tidak aktif di komputer Anda. Caranya
adalah dengan memutuskan hubungan komputer ke jaringan.

2. Jika setelah hubungan ke jaringan diputuskan infeksi virus
terhenti, maka artinya sumber virus bukan dari komputer Anda melainkan
dari salah satu komputer di jaringan.

3. Cari sumber penyebar virus Conficker di jaringan sebelum
mengkoneksikan komputer Anda. Logikanya, semua komputer yang belum
di-patch dan terhubung ke jaringan dimana ada satu komputer yang
terinfeksi virus Conficker, maka akan terinfeksi Conficker juga dalam
waktu singkat. Kecuali komputer-komputer tersebut dilindungi oleh
Firewall yang memproteksi port:

. UDP Port 135, 137, 138 dan 445

. TCP Port 135, 139, 445 dan 593

4. Patch semua komputer yang sistem operasinya rentan terhadap celah
keamanan RPC Dcom 3. Untuk mendapatkan detil patch-nya, silahkan
download di situs Microsoft.

Seperti diberitakan sebelumnya, Conficker tidak hanya mengeksploitasi
celah keamanan di Windows XP Service Pack 3 dan Windows Server 2003
Service Pack 2. Tetapi Windows Vista dan Windows Server 2008, bahkan
Windows 7 Pre Beta juga rentan.(dtn)


==========================

saya pribadi belum mengatasinya

semoga bermanfaat untuk yang lain

regards,
rian


Pada tanggal 19/01/09, Adit Al Banna <ibnu.h...@gmail.com> menulis:
> hmm,  sya pernah frustrasi gra2 windows kena virus,
> mana safe modenya gak effect...yah lgsung amputasi dah (baca : install
> ulang)
> hehehhehe...
> tapi keep try dude !!!! do your best !!!
>
>
> Pada 19 Januari 2009 08:48, =-Titah Supriadi-=
> <titah.supri...@cbn.net.id>menulis:
>
>>
>> Kalau anda misalkan komputernya terkena virus, anda harus coba scan
>> komputernya dengan cara safe mode windows bukan dari normal windows
karena
>> kalau dari normal windows percuma virus itu running di startup, terima
>> kasih
>>
>>
>> -----Original Message-----
>> From: rian hidayat [mailto:mailboxrianhida...@gmail.com]
>> Sent: Friday, January 16, 2009 5:21 PM
>> To: balikpapan-ict@googlegroups.com
>> Subject: Re: Bls: [balikpapan-ict] Re: Windows-Norman-W32/Conficker.E
>>
>>
>> Update Terakhir trouble ini:
>> Antivirus saya ganti dgn NOD 32 versi 2.7 update terbaru
>> Saya tambahkan Spybot Search and Destroy versi 1.6.0 dengan update
terbaru
>>
>> kedua alat ini juga mendetect Conficker.A sebagai worm
>> dan terus mendetect dan mendelete.
>> jadi kemungkinan ada yang lain sehingga terus terdetect setiap beberapa
>> menit.
>>
>> sudah saya copot hardisknya dan scan dengan laptop pake konektor usb-ide
>> hardisk sbg removable disk, saya scan dengan Panda Antivirus-lisensi
>> original
>> tidak ada virus atau apapun yang terdetect sebagai program perusak.
>>
>> kayaknya akan bertambah pengguna ubuntu nih...
>>
>> mohon pencerahannya.
>>
>>
>> Pada tanggal 15/01/09, Bambang Herlandi <bambangherla...@yahoo.com>
>> menulis:
>> > Dari pengalaman sy,
>> > coba deh pasang spybot (Free koq), trus update.
>> > setelah itu "Check for Problem"...
>> > Abis itu, "fix Selected Problem"
>> >
>> > Klo bisa psg jg antivirus dengan updatan terbaru.
>> > Pake yg free aja, spt AVG atau ClamAV.
>> >
>> >
>> > Tapi biasanya masalah akan timbul apabila OSnya sudah menjadi
>> > penangkaran
>> > Spyware, virus atau trojannya.
>> > Biasanya AV dan Spybotnya g mau diinstal.
>> > Solusinya gunakan OS yang masih bagus (bebas yg aneh2),
>> > trus HDD yang ada aneh2nya dijadikan Slave aja.
>> > Trus scan dah... (scannya malam aja, krn bakal lama... sekalian
>> > ditinggal
>> > tidur az)
>> > :D :D :D
>> >
>> > Selamat mencoba,
>> >
>> > Bambang Herlandi
>> > url       : http://bambangherlandi.web.id
>> > e-mail #1 : bambangherla...@yahoo.com
>> > e-mail #1 : cont...@bambangherlandi.web.id
>> >
>> >
>> >
>> >
>> >
>> >
>> > ________________________________
>> > Dari: =-Titah Supriadi-= <titah.supri...@cbn.net.id>
>> > Kepada: balikpapan-ict@googlegroups.com
>> > Terkirim: Rabu, 14 Januari, 2009 16:56:47
>> > Topik: [balikpapan-ict] Re: Windows-Norman-W32/Conficker.E
>> >
>> >
>> > Mengenai antivirus sebelumnya pernah dibahas. Antivirus dibagi menjadi
2
>> > bagian :
>> > 1. Antivirus sebagai protection untuk Files dan email
>> > 2. Antivirus sebagai protection WEB seperti Spyware
>> >
>> > Antivirus apa saja yg biasa digunakan untuk protection files dan email
>> bisa
>> > coba download atau bisa juga download removal toolsnya biasanya
>> > diberikan
>> > free
>> >
>> > http://www.kaspersky.com
>> > http://www.nai.com
>> > http://www.sarc.com
>> > http://www.nod32.com
>> > http://www.avast.com
>> >
>> >
>> > mengenai software yang anda jelaskan dibawah fungsinya untuk security
>> > browsing untuk memblock spyware, tetapi percuma jika diinstall software
>> > tersebut usernya masih membuka situs porno
>> >
>> >
>> >
>> > -----Original Message-----
>> > From: Rizqi Arijono [mailto:riz...@gmail.com]
>> > Sent: Wednesday, January 14, 2009 3:19 PM
>> > To: balikpapan-ict@googlegroups.com
>> > Subject: [balikpapan-ict] Re: Windows-Norman-W32/Conficker.E
>> >
>> >
>> > hmm... ck...ck...ck....susah ya pake windows....
>> >
>> > RQ
>> >
>> > */no offense
>> >
>> > On 1/14/09, Lucky <luckybor...@gmail.com> wrote:
>> >>
>> >> rian hidayat wrote:
>> >>> Super anti Spyware
>> >>> Spyware caese
>> >>> Spyware.Nuxer.XT.V4.9.09.1815.WinAll
>> >>> Spywareblaster 4.0
>> >>> Spyware Terminator 2.3
>> >>> Spyware Doctor
>> >>> Anti Spyware
>> >>> XoftSpySE_Anti-Spyware_v4.33.5259.1
>> >>>
>> >>> Yang mana ya pak? saya belum pnah pakai semuanya nih
>> >>> sayang kalau coba-coba, untuk kompie bos soalnye
>> >>> mohon rekomendasi rekan-rekan ya...
>> >>
>> >> Nambahin satu Mas Rian. Coba pake yg ini aja:
>> >> http://www.safer-networking.org/id/mirrors/index.html
>> >>
>> >> Update via internet, scanning deh. Semoga berhasil.
>> >>
>> >> -Lucky-
>> >>
>> >> >
>> >>
>> >
>> >
>> >
>> >
>> >
>> >       Berselancar lebih cepat dan lebih cerdas dengan Firefox 3
>> > http://downloads.yahoo.com/id/firefox/
>> > >
>> >
>>
>>
>>
>> >
>>
>
> >
>



--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Balikpapan Information, Communication & Technology Community" group.
 To post to this group, send email to balikpapan-ict@googlegroups.com
 To unsubscribe from this group, send email to 
balikpapan-ict+unsubscr...@googlegroups.com
 For more options, visit this group at 
http://groups.google.com/group/balikpapan-ict?hl=en-GB
-~----------~----~----~----~------~----~------~--~---