10 replies to this topic

[case.bolt]

First let me say thank you to all the makers/contributors to Mbam. As a support Tech for OSU, I use Mbam daily to clean these silly college kids' computers and it works every time. I've only come across two infections so far that Mbam has not completely removed, and they were rootkits that I removed fine with a quick ComboFix. Again, thank you all for making such a terrific product.

So, I'm hearing a lot about this Confiker/Downadup worm lately and was wondering if Mbam can remove it? I seem to remember seeing Confiker once on a machine I was working on, and I'm pretty sure Mbam removed it, but I can;t remember for sure. Since this worm seems to be able to spread through careless use of USB sticks and the Autorun feature in Windows (and we have students working for us) I wanted to ask to make sure if Mbam can detect/remove this.

Thanks for all your hard work mbam-ers!

[Yeerkcrazer]

case.bolt, on Jan 22 2009, 01:55 PM, said:

First let me say thank you to all the makers/contributors to Mbam. As a support Tech for OSU, I use Mbam daily to clean these silly college kids' computers and it works every time. I've only come across two infections so far that Mbam has not completely removed, and they were rootkits that I removed fine with a quick ComboFix. Again, thank you all for making such a terrific product.

So, I'm hearing a lot about this Confiker/Downadup worm lately and was wondering if Mbam can remove it? I seem to remember seeing Confiker once on a machine I was working on, and I'm pretty sure Mbam removed it, but I can;t remember for sure. Since this worm seems to be able to spread through careless use of USB sticks and the Autorun feature in Windows (and we have students working for us) I wanted to ask to make sure if Mbam can detect/remove this.

Thanks for all your hard work mbam-ers!

Hey. Yup, I recently wondered about that too. Well, I looked it up on MalwareNET on malwarebytes.org and discovered in the database "Worm.Conficker." So, I think it's safe to assume that MBAM is able to remove it.

[GT500]

Yeerkcrazer said:

Hey. Yup, I recently wondered about that too. Well, I looked it up on MalwareNET on malwarebytes.org and discovered in the database "Worm.Conficker." So, I think it's safe to assume that MBAM is able to remove it.

Bruce didn't tell me if it could or not, but he did say that they are working on new heuristics to ensure that MBAM can detect not only all previous variants of Conficker, but all future ones as well.

Since Bruce isn't handing out status updates on the definitions, and every moment I'm pestering him for info is taking him away from getting things added to the database, I'll leave him alone for now.

[exile360]

Isn't this worm already completely disabled (or at least the vulnerability it exploits) by an MS update released in October?:
http://en.wikipedia.org/wiki/Conficker
http://www.microsoft.com/technet/security/...n/MS08-067.mspx

note: Vista and Server 2008 users are apparently immune to this one (that vulnerability in the Server service is absent in those 2 OS's).

[jsuurone]

exile360, on Jan 23 2009, 01:37 AM, said:

Isn't this worm already completely disabled (or at least the vulnerability it exploits) by an MS update released in October?:
http://en.wikipedia.org/wiki/Conficker
http://www.microsoft.com/technet/security/...n/MS08-067.mspx

note: Vista and Server 2008 users are apparently immune to this one (that vulnerability in the Server service is absent in those 2 OS's).

yes, the vulnerabilty it exploits is closed by that patch, but since the device can spread to machines via USB/autorun and bruteforcing through admin shares, it's still a worry - just less of one. having MS08-067 applied and up to date AV should insulate you pretty well, and of course strong passwords as usual.

from the wiki page:
Since the virus can spread via USB drives that trigger AutoRun, disabling the AutoRun feature for external media through modifying the Windows Registry is recommended.[13] While Microsoft has released patches for the later Windows XP Service Packs 2 and 3 and Windows 2000 and Vista, it has not released any patch for Windows XP Service Pack 1 or earlier versions, as the support period for these service packs has expired.

In addition, the worm launches a brute-force dictionary attack against administrator passwords to help it spread through ADMIN$ shares, making choice of sensible passwords advisable.[14]

[exile360]

Cool, thanks a lot for the additional info.

[GT500]

exile360 said:

note: Vista and Server 2008 users are apparently immune to this one (that vulnerability in the Server service is absent in those 2 OS's).

Not according to Secunia.

[exile360]

Oops, my bad, it's just not considered "critical" by MS, that's why I overlooked it. I have the server service and file and print sharing as well as default shares disabled anyway, of course most users do not.

[GT500]

exile360 said:

... I have the server service and file and print sharing as well as default shares disabled anyway, of course most users do not.

Yea, most people have no idea. PC manufacturers need to package a booklet with new computers explaining basic PC security, because the average user gets no training at all when it comes to using a computer.

[case.bolt]

exile360, on Jan 23 2009, 01:37 AM, said:

Isn't this worm already completely disabled (or at least the vulnerability it exploits) by an MS update released in October?:
http://en.wikipedia.org/wiki/Conficker
http://www.microsoft.com/technet/security/...n/MS08-067.mspx

note: Vista and Server 2008 users are apparently immune to this one (that vulnerability in the Server service is absent in those 2 OS's).

Yeah, I knew MS says they fixed it with the patch, but I have my doubts about the consistent accuracy of MS documentation. Also, working on a college campus you get to see a lot of students who have no idea that they should run updates. Just yesterday I had a user with 0 service packs for XP. Guy had just re-installing from having his system hosed by all sorts of malware and never bothered to run any updates at all. Them he comes to us to clean his laptop once more after gettign another virus two days after reinstalling. Ridiculous.

[GT500]

case.bolt said:

... Them he comes to us to clean his laptop once more after gettign another virus two days after reinstalling. Ridiculous.

It took 2 days? With no Service Packs the guy is lucky he lasted 30 seconds...