Posts Tagged McAfee
What is conficker and what does it do?
It’s a worm/virus that will infect computers via a vulnerability (MS08-067) in any Windows XP or Vista machines if the computer hasn’t been patched with the patch Microsoft released back in October/November. Once infected, the virus:
- Embeds itself into the system services and makes some changes to the registry in order to run constantly, including after reboots.
- Disables antivirus and other security services, as well as blocks websites related to those services.
- Disables system restore and deletes all restore points making the recovery process that much more difficult.
- Opens the infected machine to more infections.
- Scans the subnet the infected computer is on for vulnerable machines and passes the infection on by creating an HTTP server for the new victim to download it from.
- Also copies itself to any usb drives, making the potential for spreading on networks much higher.
- Can crack weak passwords to accounts and lock you out of your own files and folders.
- It also schedules tasks and edits the autorun.inf file enabling it to re-activate after a computer is “cleaned.”
How do I know if my computer is infected?
I mentioned a few noticeable things above but here are the things an average computer user would notice:
- The computer will feel much more sluggish than normal.
- Your internet connection might become much slower as well.
- You may not be able to log into your computer. If the password is weak it could crack it and lock you out.
- Automatic Windows updates will not work.
- You may not be able to get to any websites related to virus scanner updates or Windows updates.
- This virus is known to disable any security software you have – firewalls or virus scanners.
What can I do to protect myself?
- Run a Windows update to make sure your computer has the patch installed.
- Update your virus scanner and run a scan to be safe. If you do not have a scanner I personally like AVG free. Symantec has a new thing called Norton Security Scan which is also free. I’ve never tried it so I don’t have an opinion about it.
Open Internet Explorer -> go to the tools menu -> click on windows update -> choose express and download all suggested updates.
Click on your start menu -> in the search box type windows update -> click check for updates in the left column and download any important updates.
What if my computer is infected?
Run a virus scan in safe mode (hold F8 down when restarting the computer). Safe mode is used in times like this because nearly every service and program that typically runs whenever you turn your computer on will be turned off, making it easier for the scanner to remove any infections. Microsoft suggests downloading their Windows Malicious Software Removal Tool. If you have a Norton product you can go here for information on how to remove it. McAfee also has information, although not very helpful in my opinion. In some instances the virus scanner may not be able to remove the infection so a more technical solution is needed.
F-Secure is the only company I’ve found so far that has an actual removal tool specifically for this virus/worm, but it is in the beta stage so be careful using it if you choose to do so. I just ran it on my laptop without any issues. If I come across someone at work who has this I’ll have no problem using it if a normal virus scan is unable to help. Especially since it sounds like unless your scanner can remove it, all you can do is reformat so you don’t have much to lose.
More information can be found at pcworld.com and BBC News. If you’re a geek like me F-Secure is keeping track of the number of infections and also has a list of domains network admins can block to help prevent this from spreading.
3/31/09: With yet another explosion in news coverage I’m adding a couple more removal tool links from F-Secure. The one linked to above is no longer a beta version. They are all for different variants of this same virus.
Everything in the article is still accurate, the basic behavior hasn’t changed at all. I heard that the security professionals haven’t been able to reverse engineer the virus so they don’t even know what is supposed to happen on April 1st. That leads me to a question, if they haven’t reversed engineered it to figure out exactly what it does, where did the doomsday date of April 1st come from?
We’ve been having problems with this since Vista came out, luckily it’s not a terribly frequent occurrence. A new year has started and we’re seeing it again. We currently have 2 students who cannot connect to our network, they keep getting the unidentified network with a 169.254 IP. We have tried everything we can think of:
- release/renew just times out
- disable/re-enable the nic
- checked all the TCP/IP settings & checked the LAN settings
- typed netsh interface ipv6 show neighbors into the cmd prompt to see if anybody on campus was broadcasting as a gateway
- I’ve even gone into the registry to disable the broadcast flag. NOTHING HAS WORKED.
- Setting the network type to private instead of public if it’s even set wrong.
I’ve spent hours and hours researching this online but so far have only come up with a couple more things to try. One of which is doing a TCP/IP stack repair and the other just deals with disabling firewalls (windows and otherwise). Has anybody actually found a solution that works? This is driving me insane.
Edit #1: It appears that Norton and possibly McAfee cause some sort of problem. I’m not exactly sure what yet. We’ve tried disabling both programs, but that didn’t work. A student uninstalled Norton and was able to get online. I like those programs less and less the more I work with them.
Edit #2: We came across another one of these and they had some weird panda anti-virus software, uninstalling it got them online. So if you come across this problem try uninstalling the anti-virus/firewall and see if that fixes it – just disabling them hasn’t worked. I really wish I knew what specifically about those programs caused the problems.
Ever since I updated my version of Firefox, either that or McAfee, I don’t remember, I had this weird problem where the the popup blocker option would randomly uncheck itself. It seems like every website now has irritating windows that pop up when you leave their site. I got frustrated with it so I poked around online and found a mozillazine article about it. Apparently McAfee doesn’t like firefox taking control of the web security type things.
If you disable the popup security option in McAfee then it changes a preference in the user.js file, “dom.disable_open_during_load” to “false”. I didn’t think I needed two programs blocking popups so I went ahead and disabled it in McAfee. I don’t particularly like using McAfee, but it’s free from comcast, so what the hell?
What’s even worse about this bug is that if you uninstall McAfee that preference is still set to false so it still won’t allow Firefox to block the popups. The article I linked to has directions on how to fix the problem even if you have removed McAfee. At least it’s a simple fix.