Notebook Entry: Leftover of Conficker/Downadup/Kido Worm

Another Leftover Story

Talking about virus leftovers – I recently noticed a leftover of the Conficker worm which is used by the virus to reinfect the systems, they are scheduled tasks on windows systems. I have only noticed them on Server OSs, they are named like ‘At’ and then any random numbers, usually starting with 1 like At1, At2……….At15, At4098 etc. As files they are named as At1.job…..At4753.job etc. as .job is the extension for secheduled tasks.

These tasks are used to run the infected dlls at a particular hour in a day, so, if a server has got 10 such jobs then it means that an attempt to resurrect the kido virus is made 10 times a day. These jobs try to run dlls followed by some random characters, one example would be “rundll32.exe ecaosp.hwo,cpmjb”.

Our antivirus (Kaspersky) doesn’t detect them – mainly because they are not viruses themselves but just a tool to re-enable the virus. Mcafee does detect them and cleans them up. The manual cleanup process for these jobs is well documented at http://support.microsoft.com/kb/962007 . If a system is infected with conficker the jobs are said to reappear after a few hours upon manual deletion but I didn’t see this behaviour on my servers may be because the servers were all cleaned up and only the jobs remained as  –     the leftovers.

Advertisements
This entry was posted in IT Infrastructure and tagged , , , , , , . Bookmark the permalink.

One Response to Notebook Entry: Leftover of Conficker/Downadup/Kido Worm

  1. Virsingh Rathore says:

    Dear sir,

    Its a kind of article I was really searching for. Its helps me to understand the function of virus leftovers on a system/server.

    Thanks for such a nice and helpful post. Hoping for such good ones in future too.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s