Update: Microsoft updates free tool to remove persistent worm

Microsoft has updated its free protection tool to remove a persistent worm that is targeting a now-patched but severe vulnerability that affects several server products.

The latest update to the Malicious Software Removal Tool (MSRT) can now remove infections of Conficker, a worm that infects a server and next tries to download other malicious software, according to a company blog.

Conficker targets a flaw in Windows Server Service. Microsoft thought the flaw was so severe that it issued an out-of-cycle patch on Oct. 23 for Windows 2000, XP, Vista, Server 2003 and Server 2008.

Microsoft has observed a new variation of the worm, called Win32/Conficker.B, that has been infecting servers. Systems become infected when a hacker constructs a malicious Remote Procedure Call (RPC) to an unpatched server, which soon after allows arbitrary cipher to run on a machine.

Conficker.B uses other methods to spread, including trying to copy itself to other shared network machines by guessing passwords, wrote Cristian Craioveanu and Ziv Mador, on the Microsoft Malware Protection Center blog. It can additionally spread via removable media.

Conficker uses several tricks to avoid detection. It uses a technique called polymorphism, a mechanism that can use compression and encryption to build the cipher seem different to antivirus software and more difficult to detect. It additionally makes its files hard to detect and changes key access rights, Microsoft said.

The outbreak of Conficker.B is mostly affecting customers who are running large networks. Countries with affected systems include the U.S., Mexico, France, Spain, Canada, Italy, Brazil, South Korea, Germany, Malaysia and the Czech Republic, Microsoft said.

The company's MSRT is a simple safety measure tool that scans a PC and can remove some malicious software. It is far short of a full antivirus suite, but Microsoft has invested in supporting the tool to help remove some of the most flagrant and nagging malicious software affecting Windows PCs and servers.

The company is recommending that administrators form the passwords for shared networks stronger and soon after run a MSRT scan.

Infected computers, however, may not be able to access Windows Update,

the built-in update tool for Windows. Microsoft has given instructions for how to download the MSRT with a clean machine and soon after distribute MSRT.

Many companies all through Europe have seen Conficker rapidly spread on their networks by the last few weeks, said Mikko Hypponen, chief research officer for the Finnish defense company F-Secure.

F-Secure has analyzed the malware and found it contains an algorithm that generates domain names for command-and-control servers. The malware authors can thereupon turn one of those domain names into a live Web site where the infected PCs report to for updated malware or directions, he said.

The technique has been used by other botnets, such as Mebroot. It's very difficult to shut down the command-and-control Web sites, since it's hard to know which ones of hundreds could potentially go live, Hypponen said.

"It's a pretty nasty mechanism," Hypponen said.

F-Secure has registered some of those domain names generated by the algorithm to try to get an estimate of how many computers may be infected. On Tuesday, the number stood at more than 2.5 million. On Wednesday, Hypponen said F-Secure has seen more than 3.5 million machines polling the registered domain name for directions. But F-Secure analysts think the real number of infected machines could be much higher.

Other than infecting computers, Hypponen said F-Secure hasn't seen other malicious activity from Conficker.B's network of computers. However, those machines scheme a massive botnet that could be used for other havoc.

An earlier version of Conficker tampered with PC's DNS (Domain Name System) settings. That can cause a computer to visit a different Web site than the one shown in a browser's address box.

Hypponen said in those instances, Conficker redirected users from Google.com to Russian Web sites stuffed with advertisements. The tampering plus caused advertising pop-ups to seem. In both examples, Conficker's controllers could be directing masses of traffic on those advertisements in order to generate dishonorable revenue, he said.

F-Secure additionally undertook difficult engineering and created its own tool for removing Conficker, which F-Secure has dubbed "Downandup."