Home page logo

interesting-people logo Interesting People mailing list archives

Re: US-CERT Technical Cyber Security Alert TA09-088A -- Conficker Worm Targets Microsoft Windows Systems
From: David Farber <dave () farber net>
Date: Mon, 30 Mar 2009 16:50:59 -0400

Begin forwarded message:

From: Justin D <justin () freeverse com>
Date: March 30, 2009 3:08:04 PM EDT
To: David Farber <dave () farber net>
Subject: Re: [IP] US-CERT Technical Cyber Security Alert TA09-088A -- Conficker Worm Targets Microsoft Windows Systems

Hi David,

For IP, if you will…

With April 1st coming up fast, the NYTimes had an interesting piece by John Markoff a few days back, with background on the worm as well as potential uses for the resulting botnet, written with the layman in mind:


One of those "could be nothing, could be everything" situations. I'll be at the office late tomorrow making sure to check all our Windows installs, that's for sure!

~ Justin D'Onofrio  |  Freeverse

On Mar 30, 2009, at 2:38 PM, David Farber wrote:

Begin forwarded message:

Date: March 30, 2009 11:29:17 AM EDT
To: dave () farber net
Subject: Fwd: US-CERT Technical Cyber Security Alert TA09-088A -- Conficker Worm Targets Microsoft Windows Systems

not for attribution

interesting subtext?

Mar 30, 2009 12:16:50 AM, cert-advisory () cert org wrote:

Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA09-088A

Conficker Worm Targets Microsoft Windows Systems

Original release date: March 29, 2009
Last revised: --
Source: US-CERT

Systems Affected

* Microsoft Windows


US-CERT is aware of public reports indicating a widespread
infection of the Conficker worm, which can infect a Microsoft
Windows system from a thumb drive, a network share, or directly
across a network if the host is not patched with MS08-067.

I. Description

The presence of a Conficker infection may be detected if a user is
unable to surf to the following websites:

* http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_ghp_link_conficker_worm
* http://www.mcafee.com

If a user is unable to reach either of these websites, a Conficker
infection may be indicated (the most current variant of Conficker
interferes with queries for these sites, preventing a user from
visiting them). If a Conficker infection is suspected, the
infected system should be removed from the network. Major
anti-virus vendors and Microsoft have released several free tools
that can verify the presence of a Conficker infection and remove
the worm. Instructions for manually removing a Conficker infection
from a system have been published by Microsoft in

II. Impact

A remote, unauthenticated attacker could execute arbitrary code on
a vulnerable system.

III. Solution

US-CERT encourages users to prevent a Conficker infection by
ensuring all systems have the MS08-067 patch (part of Security
Update KB958644, which was published by Miscrosoft in October
2008), disabling AutoRun functionality (see
http://www.us-cert.gov/cas/techalerts/TA09-020A.html), and
maintaining up-to-date anti-virus software.

IV. References

* Virus alert about the Win32/Conficker.B worm -

* Microsoft Security Bulletin MS08-067 - Critical -

* Microsoft Windows Does Not Disable AutoRun Properly -

* MS08-067: Vulnerability in Server service could allow remote code
execution -

* The Conficker Worm -

* W32/Conficker.worm -


The most recent version of this document can be found at:


Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert () cert org> with "TA09-088A Feedback VU#827267" in
the subject.

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.

Produced 2009 by US-CERT, a government organization.

Terms of use:



Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]