Jump to content

Talk:Conficker

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Srvfan84 (talk | contribs) at 15:09, 24 March 2009. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Operation

'It then connects to a server, where it receives further orders to propagate, gather personal information, and downloads and installs additional malware onto the victim's computer.' I was under the impression that Conficker currently only propagated itself and listened for further instructions from specific channels on what the botnet should do, and that such a message has not been sent yet? The way this sentence is phrased it makes it sound like Conficker has been sent the signal already. Has it actually been activated yet? 134.173.66.81 (talk) 22:00, 25 January 2009 (UTC)[reply]

It must have been activated for it to do the damage it has done oversees already. My May 2009 edition of PC Advisor claimed that the worm was simply lying in wait, but this isn't true. The worm generates a fresh list of about 250 random domain names daily and then checks those domains for instructions. When researchers started studying the worms behavior, they realised it was registering about 2,000 sites a week. The article doesn't half explain the seriousness of the conflicker. The truth is, the conflicker has the potential to reprogram a network, allowing this cybergroup to use the computers they infect for their own nefarious purposes. I just look forward to Microsoft catching these guys and/or girls. Refreshments (talk) 16:10, 19 March 2009 (UTC)[reply]

Removal

'Linux and Macintosh systems are unaffected as the virus only targets Windows software' present at the bottom of the first block of text. This message is uneccessary and superfluous. The first block of text already explains the nature of the virus and what it targets. 62.245.140.169 (talk) 17:03, 21 January 2009 (UTC)[reply]

  • The information is useful and relevant. Please do not remove it again. JohnCD (talk) 17:27, 21 January 2009 (UTC)[reply]
    • I too find this usefull information and it should be restored. Not all Linux or (especially) Mac-users are computer nerds and people might be in need of such information. PPP (talk) 09:03, 13 February 2009 (UTC)[reply]
  • I agree it should be removed as it is immaterial to the article. Also not mentioned (thankfully) is that Playstations, X-Boxes, PDAs, mobile phones and toasters are not targeted. Sufficient is the list of targeted OSes. These sorts of comments foster a naive view that not using the dominant platform is a security solution.

    One study (will cite when I find the book) of Window NT and Linux workstations with clean installs, fresh IPs and a LAN directly connected to the Internet showed that both systems had mean times to compromise measured in hours, not days. Yes it's an old study but since it came out we have seen the rise of botnets, cross platform parallel compute libraries and automated penetration tests designed to find weaknesses in a broad spectrum of devices connected to a network. These new tools are just as applicable to creating malicious botnets as they are to finding cancer cures at home or finding and fixing security problems in networks.

    I'm no Windows apologist and I use Linux exclusively on my own computers. I just think the constant "Linux/Macintosh/Insert favored OS here doesn't get viruses" harping misses the point. It's a smug message that if you are running windows you should change. But if everyone changed to your favored OS your imaginary security through obscurity would also vanish. What then? Would a change back to Windows then be warranted? 121.79.12.138 (talk) 22:44, 21 January 2009 (UTC)[reply]

    • I wouldn't be too quick in drawing conclusions, some phones or PDA's are running Windows thus could be affectable by this virus. Also, I don't know the OS an X-box is running, but since this is a Microsoft-product, it could be in the danger zone. Furthermore, the comparison between a computer and a toaster is one only an anonymous would make, becouse everybody knows it doesn't make any sense, since a toaster is not connected to the internet. It's like stating that the apple tree in my backyard probably won't get the Conficker disease from my computer. Nor wil I personally. But a desktop computer running Linux or MacOS is still a desktop computer and for many people the same thing. They surely deserve to be informed if their computer is violable or not. PPP (talk) 09:14, 13 February 2009 (UTC)[reply]
      • Given the article already mentions exactly which OSes are known to be affected, there is little point listing the OSes that are not known to be affected. Someone (207.203.88.15) appears to have noted this and added a list of other OSes including some really esoteric ones presumably to make some kind of point. I'm with the previous user who objected to the original statement. The argument that it's useful to include a list of OSes not affected might have some merit if the article said "Affects all PCs, except those with these OSes", but it doesn't. 94.193.9.40 (talk) 18:11, 13 February 2009 (UTC)[reply]

For tactfully explaining everything to this JohnCD fellow I didn't want to have to bother with, you have my utmost thanks. 62.245.140.169 (talk) 14:50, 29 January 2009 (UTC)[reply]

Comment: Why are you folks continuing to remove McAfee's on demand removal capabilities from the list of methods to remove? I sense some sort of bias here. McAfee can detect and remove the virus but the other AV's require removal tools. This should be very important to identify. —Preceding unsigned comment added by 71.135.75.227 (talk) 20:18, 5 February 2009 (UTC)[reply]

Simple, Wikipedia information must be verifiable. Please include references with your inclusion. Sephiroth storm (talk) 23:56, 5 February 2009 (UTC)[reply]

Is windows mobile effected? 213.67.232.233 (talk) 01:55, 13 February 2009 (UTC)[reply]

What are the symptoms of infection?

Is there a way of determining if your PC is infected? DavidRF (talk) 19:03, 19 January 2009 (UTC)[reply]

If the user's IQ is lower than 80, then it's probably infected. 121.44.18.220 (talk) 07:42, 20 January 2009 (UTC)[reply]
Very constructive, thanks. The article is a headline in the news section of the main page of wikipedia and I haven't heard about it anywhere else. Just wondering if we could get some elaboration on this threat. DavidRF (talk) 15:01, 20 January 2009 (UTC)[reply]
Seriously, what are the inddications? 惑乱 Wakuran (talk) 17:39, 20 January 2009 (UTC)[reply]
don't know the specific ones, but this is a spybot, which connects to external servers, so if you find your internet, or even just your computer is considerably slow, and it can't be blamed on just your old computer, then get the removal tool from microsoft's website and try it, if you're clean, then it won't find anything. —Preceding unsigned comment added by 24.65.77.144 (talk) 02:19, 21 January 2009 (UTC)[reply]
Apparently it spreads through networks by means of guessing passwords, and occasionally locks out users when attempted incorrect guesses one time too many. That seems to be a warning sign. 惑乱 Wakuran (talk) 10:11, 21 January 2009 (UTC)[reply]

Why can't we correctly translate the German? --202.169.60.130 (talk) 15:26, 20 January 2009 (UTC)[reply]

Yeah. Wikipedia is fucking not censored for fucking minors! 惑乱 Wakuran (talk) 17:39, 20 January 2009 (UTC)[reply]

When this worm infected hundreds of windows machines on my company, I, being a member of the IT, received a giant load of calls that wouldn't me even let me stop to breathe... it was really fun to see people scary of a "malevolous virus attack" hehe Oxygenetik (talk) 10:17, 21 January 2009 (UTC)[reply]

The worm hides in a pendrive (that is contaminated on a computer with virus), there are two parts to it. The first is a exe. file, which is a *number*.exe and it is hidden. Note: the number is usually less than 100, like 8.exe, 11.exe. The second part is a .inf autorun config file like

ShellExecute=8.exe Action=View the contents of this drive When the autoplay pops up, you can select what you want to do, e.g. print the pictures, take no actions, etc. Normally people will select 'view contents of this drive' but it is actually an autoplay for the .exe file. once it is running, you can see it in the task manager, as *number*.exe. The symptoms are error popups like 'suddenly,life has new meaning'. Different variations have came out so there may be other effects on the computer. To remove, stick your pendrive into the usb, when the autoplay window popup, press cancel or the cross. Open cmd, type your drive, like H:. After that, type dir/w/o/a/p . If there is any suspicious .vbs, .exe, .ini/inf files, type in "attrib -h -r -s -a". Then type "del filename.ext" Replace the ext with extension type. like "del autorun.inf" or "del New.exe" KamiFlame (talk) 13:50, 21 January 2009 (UTC)[reply]

That isn't the Conficker worm. The Conficker worm does not have an exe component. It is just a single DLL file.

I've had the virus, and I can tell you exactly what the symtoms are. First, it takes over the browser, and when you click on a Google search result of most anything it takes you to a different web page with ads and other links. It also displayed a page that looked like "My Computer" with a real time virus count message appearing in red to get your attention. Then it tried to sell me antivirus software with a pop-up window. It also generated a "fake memory error" on my laptop and caused the machine to reboot randomly every 10-20 minutes. In addition, it prevented me from going to any websites to either learn about the virus or get tools to eradicate the virus. It installed a new hosts table with certain websites redirected to 127.0.0.1. It also prevented certain applications already installed on the hard drive from executing. I finally was able to get an online scan tool to run (from a website that didn't have anything related to security in its name), but during the scan the machine rebooted (see above symptom). While I was ultimately able to remove the virus, the machine had other software and drivers damaged, so when I got back home I restored from a backup Ghost image I made when the machine was new and I had tweaked the software to my liking. This is one of the nastiest viruses I've ever seen, and my laptop was updated with the latest patches, etc., so I'm not sure how I got it. I was at a hotel on their wireless network at the time of infection.

---You were on a public network...duh! that would be how you caught it. 75.89.166.147 (talk) 16:16, 26 February 2009 (UTC) TiaF[reply]

Picture

Currently there's a picture of a Sandisk Cruzer with the caption "Conficker spreads via portable storage devices." This picture is not just unnecessary (if you don't know what a USB stick is, look up the article), it could actually give the impression (to stupid people, admittedly) that Sandisk has anything to do with it, which of course they don't. I removed the picture to offset these concerns, and added a link to USB flash drive. 82.95.254.249 (talk) 14:08, 21 January 2009 (UTC)[reply]


Use of obscenities

"consisting of the abbreviation con for configuration and the nominalized form of the obscene German verb ficken (the bad f word)"

Are we children. Either let us use our imaginations as to what "ficken" means, or be more, er, explicit. Monkeyspearfish (talk) 16:38, 21 January 2009 (UTC)[reply]

I replaced it with 'fuck'. Wikipedia is not censored! ~-F.S-~(Talk,Contribs,Online?) 16:53, 21 January 2009 (UTC)[reply]
Someone is removing the definition for "ficken" and insisting that it is a homophone for "configure", which is original research and not plausible (IMHO). Reverting. 65.169.210.66 (talk) 23:05, 22 January 2009 (UTC)[reply]
It's a fact that the English word "to configure" is pronounced in English almost exactly like "conficker is pronounced in German". Just with the difference that the "ck" in German is pronounced slightly harder than the "g" in English. That's exactly what homophone means. Furthermore, the German "ficken" not only is a term for sexual intercourse. Just like the English "fuck", "ficken" can be used in slang for stealing, beating someone up, etc... So i took the liberty to at least link to the f-word. Conficker is causing German press to use the f-word uncensoredly, and talking to people about this worm very often causes disturbance. Just imagine what this would be like if the worm's name would have been "confucker" (which is what I would say is the literal translation of the pun) -- what then? €0.02, --Volty (talk) 13:09, 27 January 2009 (UTC)[reply]
I don't have an issue with it being like "config," if that is a fact. I was just interested in the making sure the "ficken" vulgarity was not glossed over. This homophone business is still original research as far as I am concerned, though.65.169.210.66 (talk) 17:08, 27 January 2009 (UTC) —Preceding unsigned comment added by 24.21.10.30 (talk) [reply]
True, Wikipedia is not censored, but there are still policies about being offensive, and that word is offensive. Since we're adults, we surely don't need it spelled out for us. I suggest a change to something like, "...which is offensive in English." Carl.antuar (talk) 11:06, 23 January 2009 (UTC)[reply]

"ficken" is described as obscene, but that is an exaggeration. Its use is typically considered not or only mildly offensive by native speakers depending on the context. E.g. the title of a German movie from 2002, "Fickende Fische", did not spark any public outcry, and it received an FSK 12 rating. Certain uses of the word may of course be considered obscene but this is true even of the most harmless words. Aragorn2 (talk) 05:35, 24 January 2009 (UTC)[reply]

I think that might be part of German culture, though. Nudity and sexual slang/references doesn't cause as much commotion as in the USA, also it is not considered harmful for children. At least if Germany is similar to Sweden, where I live. That movie was given the Swedish title "Knullar fiskar?" ("Do fish fuck?", and they do not), given a 11 yrs rating, and didn't cause any storm, here either. 惑乱 Wakuran (talk) 13:19, 26 January 2009 (UTC)[reply]
Actually, I cannot come up with a more obscene German word for that kind of activity than "ficken". Just as Wakuran said, Germans are much more liberal with nudity and sex also in the presence of children. Sexual education here starts in primary school at an age of around seven. -- H005 (talk) 19:17, 16 February 2009 (UTC)[reply]

Conficker a pun of German Hackers? Perhaps, but absurd in this case. The name Conficker is one of the tons of domains, like bxtopike or browser or leyloenk, randomly created by the worm, chosen from the first person, who reported on Nov. 21th, 2008, that a worm who abuses Vulnerability in M$ Server Service MS08-067, is wild. --Ledenpas (talk) 21:38, 26 January 2009 (UTC)[reply]

So shouldn't the explanation with the German verb being deleted? there is more doubt than proof for this theory --jefo (talk) 19:34, 29 January 2009 (UTC)[reply]
How about we all grow up and realize that "fuck" is just a word and in this case it has no impact on anything other than your sensitive little brains. Grow up and "NO, you were not offended."

The fact is, whoever wrote about the origin of the name made it up. See http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.a, analysis tab, at the bottom. —Preceding unsigned comment added by 216.73.217.121 (talk) 23:53, 9 February 2009 (UTC)[reply]

Spread of Conficker

The article needs to be more explicit about how Conficker spreads. One line says it can spread by USB flash drives, but did it reach 9 million PCs solely on this vector? Does it spread when the user visits a website, or does it attack passive computers? Is a computer vulnerable behind a NAT router? The graphic titled "spread of conficker" doesn't help; it shows the attack coming by way of an unlabeled white box. Spiel496 (talk) 06:22, 22 January 2009 (UTC)[reply]

---Uh, lessee...public and private networks, email attachments, and portable media. protable media including but not limited to: USB sticks/flash drives, custom burned cd's (and I would presume DVD's as well), and floppies. Which would imply that XBOX systems may be vulnerable, but I haven't heard anything yet about that. Someone else noted that Conficker does not have an .exe file, which is technically correct, and allows for it to travel pretty much however it wants to. Once it's on a system and has a way to get off and spread it usually does. Watch out for McDonald's, hotels, and the ever popular Universities while you're at it. 75.89.166.147 (talk) 16:21, 26 February 2009 (UTC)TiaF[reply]

Systems Affected

This Symantec summary claims that affected systems includes Windows 95, Windows 98, Windows Me and Windows NT. These operating systems are not included in this article, should they? - Shiftchange (talk) 13:26, 22 January 2009 (UTC)[reply]

Timeline

Since this was first detected in 2008 why is the coverage all in mid Jan 2009? Rich Farmbrough, 11:01 23 January 2009 (UTC).

I only heard about this today by reading it in my daily newspaper. I haven't heard about it in any of my usual online news sources. I do remember back in October hearing about Microsoft's big out-of-band release that was highly critical to install to avoid serious problems with predicted malware. I guess that the IT admins generally installed it and forgot about it. Now that it's impacting a lot of non-IT computers, it's being picked up by mainstream media sources. But that's only a guess. It did cause me to go back over all my systems and make sure that everything was protected. Turns out that not everything. Good thing I checked; it never hurts to be reminded about these things. --Willscrlt (Talk) 14:25, 23 January 2009 (UTC)[reply]

Infobox

Hi. I added an infobox to the article, but I am not really familiar with the details of that particular one, so someone who regularly edits malware articles should add the missing information. Thanks. --Willscrlt (Talk) 14:25, 23 January 2009 (UTC)[reply]

Hardware Firewall

I have a hardware firewall ( aka a router ). Can I still get infected? —Preceding unsigned comment added by 98.213.120.190 (talk) 07:47, 26 January 2009 (UTC)[reply]

To make a simple answer: Yes you can still get infected. 213.67.232.233 (talk) 01:35, 13 February 2009 (UTC)[reply]

Wouldn't most systems behind a hardware firewall be pretty much immune? I'm not aware of any routers that are open to the Windows Server service without putting the machine in the DMZ or similar. I'd say that it's unlikely that there would be an issue. 94.193.9.40 (talk) 18:24, 13 February 2009 (UTC)[reply]

You can get infected by another machine on your side of the firewall. Or by the virus through one of its other infection vectors: removable media, or shared drives.

Impact

I added the 15 million computers infected bit. It needs corroboration. I am not sure if it's true.— Preceding unsigned comment added by Anna Frodesiak (talkcontribs)

Yeah, I've seen that number on various news sites, although I think it's just an estimate. There hasn't been much news on it lately, but unless it somehow got contained it's probably on 20 million Windows PCs or more by now. Althepal (talk) 21:07, 2 February 2009 (UTC)[reply]

More news on Conficker - just visit Google News:- French figher planes grounded by computer virus (might need to say this is 'allegedly' until they confirm)
Computer virus shuts down Houston municipal courts
More usefully, OpenDNS are offering an alternative means of protection from Conficker:- [1] —Preceding unsigned comment added by 217.34.138.161 (talk) 13:11, 9 February 2009 (UTC)[reply]

Origin of name

Does anyone get the explanation on http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A (see Tab Analysis, bottom)?

(fic)(con)(er) => (con)(fic)(+k)(er) => conficker

The old explanation was much more plausible to me (but I'm no expert).

--Abe Lincoln (talk) 21:44, 16 February 2009 (UTC)[reply]

It doesn't sound very reasonable to me either, but until we have reliable sources, we better do not mention it at all. -- H005 (talk) 23:34, 16 February 2009 (UTC)[reply]

Easy prevention?

"The Conficker worm spreads itself primarily through a buffer overflow vulnerability in the Server Service on Windows computers." It's my understanding that home users who don't have a home network (not a wireless network, which is a different animal, but a home network allowing the sharing of files, etc. among multiple machines) don't need the Server service. I disabled mine a long time ago. (Start > Run services.msc > enter > right-click Server and set to manual or disabled.) Can anyone more knowledgeable confirm whether this would prevent the Conficker from installing, even without the many other precautions being used? Thanks, Unimaginative Username (talk) 10:34, 1 March 2009 (UTC)[reply]

Bundeswehr affirmed: one of our servers is infected, some departments are affected:

http://www.bundeswehr.de/portal/a/bwde/streitkraefte?yw_contentURL=/C1256EF4002AED30/W27PED65714INFODE/content.jsp —Preceding unsigned comment added by 88.72.225.151 (talk) 09:39, 12 March 2009 (UTC)[reply]

Newsagency dpa: some hundred computers affected: http://computer.t-online.de/c/17/68/25/30/17682530.html —Preceding unsigned comment added by 88.72.225.151 (talk) 11:08, 12 March 2009 (UTC)[reply]

Origin of the virus

Would it be possible to have some information on where the virus/worm comes from (ie : who created it)? and what they were aiming to do by creating it. 195.25.74.189 (talk) 11:33, 13 March 2009 (UTC)[reply]

Nobody knows that. There is a $250,000 reward out for that information. If you have it, feel free to claim your reward. Chrislk02 Chris Kreider 13:52, 24 March 2009 (UTC)[reply]

How to get rid of it

I had conflicker on my computer but the virus scan enterprise seemed to make short work of that! It comes up on my screen as deleted so I don't know, I guess its been deleted. At the moment I think the best thing to do is to simply nout use a U.S.B. while on the internet. Esp. with sites like wikipedia, which probs is prime targets. Don't save pages off the internet, and if you notice its taking a long time to save a page like it was with me, it's probably because the computers infected. If the worm is stealing passwords, substitute emails and passwords ought to be used only. No purchases should be made on the internet (i.m.o). Refreshments (talk) 15:18, 19 March 2009 (UTC)[reply]

April 1st activation

[http://www.cnn.com/2009/TECH/03/24/conficker.computer.worm/index.html Seems like it would be of major importance.--205.202.243.5 (talk) 13:27, 24 March 2009 (UTC) (Jakezing)[reply]

Conficker versions

According to http://www.cnn.com/2009/TECH/03/24/conficker.computer.worm/index.html and several other articles pulled up through news.google.com, we are currently on Conficker version C, which is the thrid release and behaves differently in some ways from Conficker.A. Conficker.C doesn't spread through the network like Conficker.A but makes Conficker harder to detect and remove from previous versions. Conficker.B was also released after the Microsoft patch. Some articles also suggest the new Conficker disables some anti-virus services.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Talk:Conficker&oldid=279374733"