F-Secure has warned of a worm affecting corporate networks that
is
spreading rapidly. It is said to have already infected 2.5
million PCs worldwide.
F-Secure has
issued alerts about new versions of the "Downadup" worm. This
worm infects Windows workstations and servers, causing various
problems.
The security firm has received several reports of corporate
networks getting infected with variants of the worm.
Downadup (also known as Conficker) is a large family of network
worms. They are unusually difficult to remove, especially in case
of an internal infection inside a corporate network.
Downadup uses several different methods to spread. These include
using the recently patched vulnerability in Windows Server Service,
guessing network passwords and infecting USB sticks.
As an end result, once the malware gains access to the inside of
a corporate network, it can be unusually hard to eradicate fully,
said F-Secure.
Typical problems generated by the worm include locking network
users out of their accounts. This happens because the worm tries to
guess (or brute-force) network passwords, tripping the automatic
lock-out of a user who has too many password failures.
Once this worm infects a machine, it protects itself very
aggressively. It does this by setting itself to restart very early
in the boot-up process of the computer and by setting Access Rights
to the files and registry keys of the worm so that the user cannot
remove or change them.
The worm downloads modified versions of itself from a long list
of websites. The names of these websites are generated by an
algorithm based on current date and time. As there are hundreds of
different domain names that could be used by the malware, it is
hard for security companies to locate and shut them all down in
time.
Further technical information about the malware is available on
F-Secure's blog.
What to do to avoid infection:
- Make sure latest Microsoft patches have been applied
- Make sure your organization is running the latest version of
your anti-virus product
- Check that the anti-virus product has the latest updates
- Turn off AUTORUN and AUTOPLAY for USB sticks
- Make sure users domain passwords are strong
- Take extra care about the domain administrators' passwords