Conflicker, Downup, Downadup, Kido Spreading – Removal – Virus Alert!

Posted on January 25, 2009 by
14 commentsLeave a comment

The virus known as Conflicker, Downup, Downadup, and Kido is on the rise.  This is a nasty virus that not only will infect your PC but your USB devices.

It spreads itself primarily through a buffer overflow vulnerability in the Server Service on Windows computers.  It starts by trying to infect machines connected local to the infected machine.  This has been patched by Microsoft see Microsoft Security Bulletin MS08-067.

Because of the way this virus spreads, it significantly slows down network access.  Not just for you but other machines that are located on your network.  This may be the only way you will know that you have the virus to begin with.

Nerdology

The most complete information for this virus I have found is at VirusList.Com http://www.viruslist.com/en/viruses/encyclopedia?virusid=21782749

Clean Up:

I have successfully cleaned this worm by doing the following, download Malwarebytes Anti Malware software and rename it when the save dialog box appears.  If you save it as the original name mbam-setup.exe on the infected machine it will be deleted and or disabled.  Reboot the computer into Safe Mode with NO Networking.  This is done by pressing F8 while the machine is booting.  Install and run a full scan with Malwarebytes’ Anti Malware.  It will take a while to run, once completed remove all the infected files and reboot the machine.  Reboot again into safe mode and rerun this processes again.  Continue until it comes back clean.  Only then do you need to reboot into regular mode.

<EDIT BY ZERO>

Here is a list of domains associated with the Asprox botnet that is responsible for this virus:

http://www.f-secure.com/weblog/archives/downadup_domain_blocklist_17_31.txt

</END EDIT>

Here’s a bit of a hint on password policy and use, the following is the passwords used by this Virus. Check if yours is in here if it is please SMACK yourself…

00
000
0000
00000
0000000
00000000
0987654321
1
11
111
1111
11111
111111
1111111
11111111
12
123
123123
12321
123321
1234
12345
123456
1234567
12345678
123456789
1234567890
1234abcd
1234qwer
123abc
123asd
123qwe
1q2w3e
2
21
22
222
2222
22222
222222
2222222
22222222
3
321
33
333
3333
33333
333333
3333333
33333333
4
4321
44
444
4444
44444
444444
4444444
44444444
5
54321
55
555
5555
55555
555555
5555555
55555555
6
654321
66
666
6666
66666
666666
6666666
66666666
7
7654321
77
777
7777
77777
777777
7777777
77777777
8
87654321
88
888
8888
88888
888888
8888888
88888888
9
987654321
99
999
9999
99999
999999
9999999
99999999
a1b2c3
aaa
aaaa
aaaaa
abc123
academia
access
account
admin
Admin
admin1
admin12
admin123
adminadmin
administrator
anything
asddsa
asdfgh
asdsa
asdzxc
backup
boss123
business
campus
changeme
cluster
codename
codeword
coffee
computer
controller
cookie
customer
database
default
desktop
domain
example
exchange
explorer
file
files
foo
foobar
foofoo
forever
freedom
fuck
games
home
home123
ihavenopass
internet
Internet
intranet
job
killer
letitbe
letmein
login
Login
lotus
love123
manager
market
money
monitor
mypass
mypassword
mypc123
nimda
nobody
nopass
nopassword
nothing
office
oracle
owner
pass
pass1
pass12
pass123
passwd
password
Password
password1
password12
password123
private
public
pw123
q1w2e3
qazwsx
qazwsxedc
qqq
qqqq
qqqqq
qwe123
qweasd
qweasdzxc
qweewq
qwerty
qwewq
root
root123
rootroot
sample
secret
secure
security
server
shadow
share
sql
student
super
superuser
supervisor
system
temp
temp123
temporary
temptemp
test
test123
testtest
unknown
web
windows
work
work123
xxx
xxxx
xxxxx
zxccxz
zxcvb
zxcvbn
zxcxz
zzz
zzzz
zzzzz

Its related:
Categories: Nerdology | Tags: alert virus, Microsoft, virus, Virus Alert
Notice: This work is licensed under a BY-NC-SA. Permalink: Conflicker, Downup, Downadup, Kido Spreading – Removal – Virus Alert!
  • ruby

    Hi,
    I think my computer is infected with these viruses.
    However, they stopped me from getting to any website which provides the online scanning…..(including those websites you mentioned above)
    What would you suggest to do with these viruses?
    Thank you very much for your time.
    Best wishes,
    ruby

    • http://www.zerosource.org/ zerolove

      Hey Ruby,
      I recommend going to local store, like walmart even and purchasing a USB jump drive, you can purchase a small cheap one. Use a friends computer to download MalwareBytes AntiMalware free edition. Put it on the jump drive but rename it to something else, like test.exe. Use this to run on your machine and clean. Let me know if this helps.

      Zero

  • ruby

    Hi,
    I think my computer is infected with these viruses.
    However, they stopped me from getting to any website which provides the online scanning…..(including those websites you mentioned above)
    What would you suggest to do with these viruses?
    Thank you very much for your time.
    Best wishes,
    ruby

    • http://www.zerosource.org/ zerolove

      Hey Ruby,
      I recommend going to local store, like walmart even and purchasing a USB jump drive, you can purchase a small cheap one. Use a friends computer to download MalwareBytes AntiMalware free edition. Put it on the jump drive but rename it to something else, like test.exe. Use this to run on your machine and clean. Let me know if this helps.

      Zero

  • Ann

    Hi Zero,

    I’ve read your recommendation for ruby and i think you can help me with the same virus problem. Im working in a bank and most of the files that our branches need is sent/downloaded via network, till this month it become an outbreak in our company with this virus named conflicker.exe ..it started to prompt in our servers “buffer overflow” then triggers our network to goes UP and DOWN..and stops the RPC services that gives our network and system a mess..actually we already tried to use some kido remover and regular scanning but still our network is not stable and i think its because of the virus..

    What can you suggest to do with these virus? (for domain users, in one network group)

    Thank you very much for your time.
    God Bless..

    Ann

    • http://www.zerosource.org/ zerolove

      With a network outbreak you have to isolate the systems that are infected from the rest of the network. Once this is done, make sure your patches are all updated on the un infected machines. The Flaw that this virus uses was patched by Microsoft in October 2008. With the rest of the network patched and updated, then you want to take the infected machines and run Malwarebytes against. You will need to run it complete scan till it comes back clean. Do this in safemode. In reality with a banking system, I would recommend a wipe of the systems and a reinstall simply because no virus scanner is guaranteed to get everything. I recommend a re install over a virus scanner clean up even for home uses, but even more so for Corporate Networks.

      Zero

  • Ann

    Hi Zero,

    I’ve read your recommendation for ruby and i think you can help me with the same virus problem. Im working in a bank and most of the files that our branches need is sent/downloaded via network, till this month it become an outbreak in our company with this virus named conflicker.exe ..it started to prompt in our servers “buffer overflow” then triggers our network to goes UP and DOWN..and stops the RPC services that gives our network and system a mess..actually we already tried to use some kido remover and regular scanning but still our network is not stable and i think its because of the virus..

    What can you suggest to do with these virus? (for domain users, in one network group)

    Thank you very much for your time.
    God Bless..

    Ann

    • http://www.zerosource.org/ zerolove

      With a network outbreak you have to isolate the systems that are infected from the rest of the network. Once this is done, make sure your patches are all updated on the un infected machines. The Flaw that this virus uses was patched by Microsoft in October 2008. With the rest of the network patched and updated, then you want to take the infected machines and run Malwarebytes against. You will need to run it complete scan till it comes back clean. Do this in safemode. In reality with a banking system, I would recommend a wipe of the systems and a reinstall simply because no virus scanner is guaranteed to get everything. I recommend a re install over a virus scanner clean up even for home uses, but even more so for Corporate Networks.

      Zero

  • terry morris

    Rubbish, all and every bit of advice you gave these poor woman. Total BS. Avira, is suppose to be the top notch bug cleaner, nix to that, full scan on my set and zero, it said I have no Viruses?. The hell I don’t. That’s the 30 anti-virus program I have tried. Microsoft wrote this virus, and Microsoft is the only ones who can get rid of it?. If you own your PC and all that is within, paid for in cash, as was in my case. Because Vista is weak, and let’s in viruses I have reloaded it 8 or more times. I Have to register it, and Pay again, for something I own?. Millions of folk like me refuse to let MS double dip, and rip us off. Because I haven’t Microsoft have used the Md5 cryptic what’s it’s name, thingie. part of Vista, to make my set nearly useless. Downadup neally ended me….
    But someone soon will help I hope, with a sensible answer…

    • Anonymous

      It is
      too esoteric, how can I do to learn?

  • terry morris

    Rubbish, all and every bit of advice you gave these poor woman. Total BS. Avira, is suppose to be the top notch bug cleaner, nix to that, full scan on my set and zero, it said I have no Viruses?. The hell I don’t. That’s the 30 anti-virus program I have tried. Microsoft wrote this virus, and Microsoft is the only ones who can get rid of it?. If you own your PC and all that is within, paid for in cash, as was in my case. Because Vista is weak, and let’s in viruses I have reloaded it 8 or more times. I Have to register it, and Pay again, for something I own?. Millions of folk like me refuse to let MS double dip, and rip us off. Because I haven’t Microsoft have used the Md5 cryptic what’s it’s name, thingie. part of Vista, to make my set nearly useless. Downadup neally ended me….
    But someone soon will help I hope, with a sensible answer…

  • jonathan

    zero,

    I have my internet cafe here in philippines I think I have
    the same problem with the rest here. We already have reformat
    all the computers in our cafe but still I have encounter problems
    like internet connections often disconnects and local network hardly connects. What could you suggest with my problem

    Thank You So Much Hope You Could Reply ASAP

    God Bless…

  • jonathan

    zero,

    I have my internet cafe here in philippines I think I have
    the same problem with the rest here. We already have reformat
    all the computers in our cafe but still I have encounter problems
    like internet connections often disconnects and local network hardly connects. What could you suggest with my problem

    Thank You So Much Hope You Could Reply ASAP

    God Bless…

  • Anonymous

    Computer virus is terrible ,I hate them.