A virus that is spreading with a vengeance is plaguing businesses in the new year. The Conficker worm, which caused havoc on Windows PCs in October, has come back to strike more than 3.5 million PCs in 24 hours under a new name, Downadup, according to security analysts.
The worm resurfaced earlier in the month, infecting Windows workstations and servers and causing a variety of problems for users.
Downadup consists of a family of network worms that are difficult to remove, especially when there is an infection inside a corporate network, according to F-Secure, a security company which first released warnings about the worm.
"First discovered in October 2008, Conficker, Kido or Downadup is a very sophisticated worm, but the updated version from two weeks ago is much more serious," said Jart Armin, a security specialist with HostExploit. "Essentially it becomes part of MS Windows services.exe, and then establishes an HTTP server from the infected PC."
Using the Inauguration
Armin added that the worm automatically generates hundreds of domain names to fool any tracking, but only one is the real site that downloads the malicious instruction set.
"It also enables replication via USB sticks and across office networks," Armin said. "It appears to be especially timed to take advantage of the holidays and lack of IT staff around."
Is there any help for victims of the Conficker? Some, according to security specialists.
One is to watch out for fake Barack Obama sites, according to F-Secure's blog. The company is seeing spam trying to use the presidential inauguration as a way to push spam and the Downadup-related activity.
E-mails have been sent around the world suggesting users follow links to Obama Web sites. Some fake Web sites that produce malware are store.greatobamaguide.com, store.superobamadirect.com and superobamaonline.com. And there are many more, according to F-Secure.
F-Secure has also posted the registered countries for the IP addresses causing harm and they include China, Brazil, Russia, India, the Ukraine, Italy, Thailand, Taiwan and Kazakhstan, to name a few. Most, however, originate in China, Brazil and Russia.
"The main fake Web site was superobamaonline.com, which has now been taken offline; however more are likely to appear," Armin said. "It shows registration via XIN NET Technology Corp. of China; however, this domain registrar has been primarily used by Russian cybercriminals."
"Essentially these fake Web sites are a 'fast-flux' botnet hosted around the globe, and the links via spam e-mail point to a file called speech.exe, which is a Waladec malware variant," he added.
Protecting and Avoiding
Updating your PC has never been more valuable than now, according Armin, who said consumers need the latest operating-system updates and patches.
As always, PC users and businesses also need to be sure to update antivirus software.
"Microsoft has patches. However the ongoing problem resides where many PCs do not have the latest MS patches, i.e. MS patch MS08-067, and estimates vary from one to nine million PCs infected worldwide," Armin said.