Alert - Additional Microsoft Security Guidance Published on Conf*cker

[Dr.Melzer 191]

Microsoft hat am 27.03.09 neue Informationen rund um den Wurm Con****er veröffentlicht:

 

What is the purpose of this alert?

This alert is to notify you that Microsoft has published new information regarding the Con****er worm on March 27, 2009.

 

The new information published today will appear on Microsoft’s Con****er landing pages, Microsoft’s security-related blogs and in the Microsoft Malware Protection Center (MMPC) malware encyclopedia.

 

These resources aim to help customers by providing answers to common questions, steps customers can use to protect their systems, and steps that can be used to recover systems that have been infected.

 

SUMMARY

 

Microsoft has published new information today on the following web pages:

 

• Microsoft Con****er guidance page for IT Professionals and those focused on security in the enterprise: Conficker Worm: Help Protect Windows from Conficker.

 

• Microsoft Con****er guidance page for consumers and home users: Computer Worms - Conficker| Microsoft Security.

 

• The Microsoft Malware Protection Center (MMPC) encyclopedia page for the Con****er family of malware: Microsoft Malware Protection Center.

 

• The Microsoft Malware Protection Center blog: Microsoft Malware Protection Center.

 

• The Microsoft Security Response Center Blog: The Microsoft Security Response Center (MSRC).

 

Please use these new resources as your starting point for guidance on Con****er. The content will be refreshed periodically when new information is available.

[Dr.Melzer 191]

ANSWERS TO COMMON QUESTIONS

 

Q: What will happen on April 1, 2009?

A: Based on our collective technical analysis, we've determined that systems infected with the latest version of Con****er will begin to use a new algorithm to determine what domains to contact. We have not identified any other actions scheduled to take place on April 1, 2009.

 

Q: Will an updated version of Con****er go out to already-infected systems on April 1, 2009?

A: It is possible that systems with the latest version of Con****er will be updated with a newer version of Con****er on April 1, 2009 by contacting domains on the new domain list. However, these systems could be updated on any date before or after April 1, 2009 as well using the "peer- to-peer" updating channel in the latest version of Con****er.

 

Q: Should the general public be alarmed? Why or why not?

A: No, the general public should not be alarmed. Most home users have been protected by Microsoft Security Update MS08-067 (Microsoft Security Bulletin MS08-067 – Critical: Vulnerability in Server Service Could Allow Remote Code Execution (958644)) being applied automatically.

 

Q: What should people who are worried about April 1, 2009 and Con****er do?

A: We recommend that home users who have not yet enabled automatic updates do so and ensure their security software is up to date with the latest antivirus signatures for Windows Live OneCare, or the antivirus product they use. We recommend that enterprise customers continue to focus on the guidance from Microsoft and take multiple measures to minimize the risk of getting infected:

 

• Fully Install MS08-067 (Microsoft Security Bulletin MS08-067 – Critical: Vulnerability in Server Service Could Allow Remote Code Execution (958644)) on all Windows computers in your environment. Because 100 percent deployment can be challenging in diverse enterprises, the next defense-in-depth steps can help minimize the risk too.

• Use an antivirus product that has solid detection of Con****er. Such an antivirus program should be able to block the worm from copying itself to other machines. For example, Microsoft Forefront Client Security and Windows Live OneCare can detect and block this worm from the very first day of its discovery.

• Use strong passwords both for any user account and also for any file share in your environment.

• Make sure to use only AutoPlay options that you are familiar with as other options may have been added by malicious software. Some customers may prefer to disable the AutoRun functionality altogether.

• Evaluate additional security best practices in accordance with their organization's policies and procedures.

 

Customers who believe they are affected and need additional support can contact Microsoft Customer Service and Support. Contact CSS in North America for help with security update issues or viruses at no charge using the PC Safety line (866)PCSAFETY or resources found at: Microsoft Security Online and Phone Support | Microsoft Security.

 

International customers can contact Microsoft Customer Service and Support by using methods found at: Worldwide Computer Security Information - Microsoft Security.

 

REGARDING INFORMATION CONSISTENCY

 

We strive to provide you with accurate information in static (this mail) and dynamic (Web-based) content. Microsoft’s security content posted to the Web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft’s Web-based security content, the information in Microsoft’s Web-based security content is authoritative.

 

If you have any questions regarding this alert please contact your Technical Account Manager or Application Development Consultant.

 

Thank you,

Microsoft CSS Security Team