It's possible to stop Conflicker Virus¿?

Ibersystems · March 20, 2009, 10:14am

Hi all,

we have a costumer with problems in his LAN with this Work. Conflicker infects all the LAN machines using a bug in Windows. Sometimes they format a computer, and during the patching and updating of windows.. the worm infects the PC. You don’t need to access anything.. only stay in the LAN. And the microsoft bugfix isn’t working very well.

It’s possible to stop this worm with any filter rule? Anyone knows it?
I think closing 445/TCP will be 25% of the solution. I need the other 75% : D!

Thanks!

normis · March 20, 2009, 10:15am

first you need to find out how it works, try to find more information about it on the web, see how it connects, what ports it uses, maybe you can identify it’s connections with L7?

Ibersystems · March 20, 2009, 10:36am

I only find the 445/TCP port, but I try to go to my costumer LAN and infect my laptop behind a routeros bridge to know how it works.

Thanks,

normis · March 20, 2009, 10:41am

some good analysis and recommendations:
http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=2

Ibersystems · March 20, 2009, 11:20am

Very interesting. There is a new version of the worm.. but I block all the things I can read there and if they continue having problems I try to find new worm version “datasheet”.

Thanks Normis!

awolfkiel · March 27, 2009, 12:13am

The link above is obsolete. It refers to Conflicker.A, the current version is Conflicker.C. Symantec calls it W32.Downadup.C.

Here are better symantec links:
http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-030614-5852-99&tabid=1

BTW: This post comes up as the #1 result for Google: “symantec conflicker virus”

Ibersystems · March 27, 2009, 1:58pm

Hi,

one new article in the WiKi.

http://wiki.mikrotik.com/wiki/Conficker-Virus-Blocking

Helios · March 28, 2009, 12:50pm

script not working in ROS 3.22

#resolve each new line and add to the address list daily-conficker
:if ( [:pick $line 0 1] != “\n” ) do={
:local entry [:pick $line 0 ($lineEnd ) ]
:if ( [:len $entry ] > 0 ) do={
:local listip [:resolve “$entry”]
:if ($listip != “failure” ) do={
/ip firewall address-list add list=daily-conficker address=$listip
:log info “$listip”
}
}
}
} while ($lineEnd < $contentLen)
}

this part code not work

fatslim · May 25, 2009, 12:46pm

for me it does not work too