US-CERT Technical Cyber Security Alert TA09-088A -- Conficker Worm Targets Microsoft Windows Systems

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA09-088A

Conficker Worm Targets Microsoft Windows Systems

Original release date: March 29, 2009
Last revised: March 30, 2009
Source: US-CERT

Systems Affected

* Microsoft Windows

Overview

US-CERT is aware of public reports indicating a widespread
infection of the Conficker/Downadup worm, which can infect a
Microsoft Windows system from a thumb drive, a network share, or
directly across a corporate network, if the network servers are not
patched with the MS08-067 patch from Microsoft.

I. Description

Home users can apply a simple test for the presence of a
Conficker/Downadup infection on their home computers. The presence
of a Conficker/Downadup infection may be detected if a user is
unable to surf to their security solution website or if they are
unable to connect to the websites, by downloading detection/removal
tools available free from those sites:

* http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_ghp_link_conficker_worm
* http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx
* http://www.mcafee.com

If a user is unable to reach any of these websites, it may indicate
a Conficker/Downadup infection. The most recent variant of
Conficker/Downadup interferes with queries for these sites,
preventing a user from visiting them. If a Conficker/Downadup
infection is suspected, the system or computer should be removed
from the network or unplugged from the Internet - in the case for
home users.

II. Impact

A remote, unauthenticated attacker could execute arbitrary code on
a vulnerable system.

III. Solution

Instructions, support and more information on how to manually
remove a Conficker/Downadup infection from a system have been
published by major security vendors. Please see below for a few of
those sites. Each of these vendors offers free tools that can
verify the presence of a Conficker/Downadup infection and remove
the worm:

Symantec:
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99

Microsoft:
http://support.microsoft.com/kb/962007

http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

Microsoft PC Safety hotline at 1-866-PCSAFETY, for assistance.

US-CERT encourages users to prevent a Conficker/Downadup infection by
ensuring all systems have the MS08-067 patch (see
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx),
disabling AutoRun functionality (see
http://www.us-cert.gov/cas/techalerts/TA09-020A.html), and
maintaining up-to-date anti-virus software.

IV. References

* Microsoft Windows Does Not Disable AutoRun Properly -
<http://www.us-cert.gov/cas/techalerts/TA09-020A.html>

* Virus alert about the Win32/Conficker.B worm -
<http://support.microsoft.com/kb/962007>

* Microsoft Security Bulletin MS08-067 - Critical -
<http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx>

* MS08-067: Vulnerability in Server service could allow remote code
execution -
<http://support.microsoft.com/kb/958644>

* The Conficker Worm -
<http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm>

* W32/Conficker.worm -
<http://us.mcafee.com/root/campaign.asp?cid=54857>

* W32.Downadup Removal Tool -
<http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99>

____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA09-088A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-088A Feedback VU#827267" in
the subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2009 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________

Revision History

March 29, 2009: Initial release
March 30, 2009: Included additional details

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSdEYX3IHljM+H4irAQIYGQgAiYr6a3OCj8JFRPhDWwwampacVHYxW2o+
fKkXtHu093UYd8tXWv/crvQzMfMPaH/+zwXhO/pEPqyAh+916EvqVpsMnvhOOJzw
1y7y+aCYtxlS+B8/TXbI0GGjzv8HmmlCOoxg4jz9BggR+fnjVC+gqq0Ml16Z539J
2/TRiidVh+QwIUB7KtsPZU0DZgCFkXBoAWEurd2kpqGP8xkK2M3/N6PN2GfftqSg
Apzc80ikWUCXcA2ppbk0V85bRw3NhIiXmN5EBgQr28ZF2WByaSnCE6irTKN0eTX1
E2q21qIdfjd09BVLWgXRa0kXG8eqZBgt6uulf/yfd9S5pPquz4Cyuw==
=zSHY
-----END PGP SIGNATURE-----

California Fire News - Updates in your mail box

Edwards Public Affairs: Avoid F-22A crash recovery area Posted: 29 Mar 2009 05:11 PM PDT 95th Air Base Wing Public Affairs 3/29/2009 - EDWARDS AIR FORCE BASE, Calif. -- Air Force officials are asking the public to refrain from entering the F-22A crash recovery site northeast of Edwards Air Force Base. At 10 a.m. March 25, an F-22A crashed about 35 miles northeast of the base, killing David Cooley, a Lockheed Martin test pilot. A board of Air Force officers is investigating the cause of the crash, while a team from Edwards Air Force Base is working to recover the aircraft and reclamate the crash scene. The F-22A contains materials that, when damaged, may pose health risks. The aircraft recovery team working in the area is specially equipped and trained to handle those materials. The recovery area is concentrated in three washes that extend 10 miles east of Hoffman Road from the Fremont Peak Road, south to Lockhart Road, in San Bernardino County. The area is popular with ATV and dirt bike riders, especially on the weekends. Edwards officials ask the public to stay out of the area until it is deemed safe for their use. The 95th Security Forces Squadron has deployed a security team around the area, and large warning signs are placed around the perimeter. Officials estimate the recovery operations will continue through late April. "The work we're doing there serves to not only tell us why the crash occurred, but also allows us to return the area as close to its natural state as is possible," said Col. Nancy Reeves-Flores, 95th Air Base Wing vice commander. "We cannot do this important job without the knowledge and support of our neighbors in the Antelope Valley, and we ask for their patience and understanding as we move forward." Those with questions about the recovery operations, or who have information on the crash, are encouraged to contact the Edwards Public Affairs Office at (661) 275-9917or (661) 277-3511. They may also contact Edwards Air Force Base Command Post at (661) 277-3040. Related post: Aircraft down: F-22 with one pilot aboard has crashed near Edwards Air Force Base Source: http://www.edwards.af.mil/news/story.asp?id=123141865

Shasta County: Suspected arsonist arrested Posted: 29 Mar 2009 05:00 PM PDT McArthur man accused of starting fires last year, early this year By Record Searchlight staff Originally published 02:39 p.m., March 29, 2009 Updated 02:39 p.m., March 29, 2009 Accused Arsonist - Joshua Jack Charlton Arson investigators have arrested a 20-year-old McArthur man in connection with a rash of fires in northeastern Shasta County between June and February, according to a California Department of Forestry and Fire Protection press statement. Joshua Jack Charlton was booked into Shasta County Jail today on suspicion of six felony arson counts. The investigation will continue to determine if additional charges can be filed against Charlton, according to the press statement. The fires Charlton is suspected of setting were quickly contained, CalFire Unit Chief Michael Chuchel said in a press statement. But the blazes threatened homes, he said. The Shasta County Sheriff's Office and Mayers Memorial Hospital District helped CalFire with the investigation, according to the press statement. Charlton was held in jail without bail. Anyone with additional information about the fires may call CalFire at (800) 468-4408. Callers can remain anonymous. Source:www.redding.com - Link

You are subscribed to email updates from California Fire News - Structure, Wildland, EMS To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Inbox too full? Subscribe to the feed version of California Fire News - Structure, Wildland, EMS in a feed reader.
If you prefer to unsubscribe via postal mail, write to: California Fire News - Structure, Wildland, EMS, c/o Google, 20 W Kinzie, Chicago IL USA 60610