Newsfeed
Nachrichtenbote
Over the last days, we've received reports of corporate networks getting infected with various variants of MS08-067 worms. These are mostly Downadup/Conficker variants.
The malware uses server-side polymorphism and ACL modification to make network disinfection particularily difficult. A sign of infection is that user accounts gets locked out in the Active Directory domain as the worm tries to crack user's passwords using a built-in dictionary. When it fails it leads to those accounts being locked.
We have detailed information about the malware functionality in our description.
We also have a separate tool available to assist in disinfecting. The tool is available from here.
We also recommend system administrators to block access to web sites used by the malware. The sites keep changing, but the current domains to block are:
64.70.19.33
gwkizcbfxs.com
aifzigcv.cn
rexvnvu.com
nynhjlgt.cc
jjlpshzv.cn
qjspgc.ws
idmct.cn
tfxrunh.com
jorgp.net
txjon.ws
bqbhosag.net
enukaxdsh.com
uwgpfmbb.cn
siaeow.info
rhhlojswqhg.org
hsmyiodaby.info
vvjwy.info
walbkceo.biz
pwkao.ws
hyenn.cn
bsjhi.cn
ntennetwu.com
snrbfmuu.ws
xorbhjum.cn
vygsszouzy.info
rgfyqus.cc
yurkdgrr.cc
cnpzjcoq.biz
pwokmxqxu.ws
zmtndgbf.cc
botvmepc.com
tidvgkj.net
orfwvrhin.cn
qlidexmcm.cc
ztnzqt.com
facoxfzytdd.net
mupmibyvg.org
bzjcgpgnd.info
xijykokyo.info
jzrjoj.info
lkiafdo.cc
rqphujhgn.biz
omrzgdpqgx.biz
rwrzsnh.cn
iwkell.cc
chbrcojkb.com
nildslfd.com
vnpzbf.net
lyuzbxwumz.net
klziz.cc
rksarzfopo.cc
mcyrr.cc
hmxxvpazpak.org
tdyilbmpti.info
icyjfmsvsnd.cn
mmaytjko.net
tfqexhqw.ws
wvzwin.cn
vuexws.cc
msnbfhu.com
rphrtdy.cc
dszhnt.org
ycimz.cc
poerb.biz
jxxneevy.cc
hejktcix.cc
vsdgrolow.ws
kqzhlbha.info
tmfyu.com
pgrhp.org
ubimwzracj.net
jfrcw.cc
wkheaqv.org
pkxnjnju.cn
sptfgbgn.cc
wrqeib.net
nhhaoraaj.biz
sxfgsrxvhy.info
bezmvgyd.com
nwhdkaymlin.ws
xnyln.net
qrgyu.ws
mcqloqac.info
aszerjb.info
ruhciwyz.org
dehkjdjfgp.biz
nhqfs.biz
xjuokai.cc
sqkjy.cc
cwnozdfdp.org
rjcvhhc.biz
khukycqb.org
xxshfasvxr.org
kqhflzj.net
acucwbuq.biz
jxbou.org
leywv.org
lhakjmpuj.biz
zehbfqi.info
ouclprommf.org
csyotypmr.cc
kzndzkg.com
cvjpvghac.org
jywlngsklz.org
jcgldecm.info
ciliytjvjc.cn
vfiqgacc.info
ucpqawx.biz
oqdlfkjkm.com
zozzjeza.cn
ixpnkncf.cn
vbbiyj.biz
vopqjdg.net
sldjmhdll.org
ufoeaxhh.ws
vuubkeazyw.cc
taeiwxgmg.ws
fcrov.org
urujt.biz
mbdpldx.cn
ruiixxeft.biz
xzarbvm.info
aowdpspvub.ws
kinlrfa.cc
naewfhtc.net
gxbbmw.biz
adglruiu.biz
djlbhgvzx.com
fvtmsxbrxs.net
aypmyrx.info
nuggp.org
aqpbxhtuo.org
yzpvyovrle.net
sqejcjgkslo.biz
buqidpgc.ws
syxdgozz.com
fslvh.net
wamwosbmaw.ws
rozfggavcwd.org
zjwyamwjg.info
rbooqduo.cc
uywkv.info
pyxzpvbj.cn
qogarydes.cc
iwikvf.com
bddsxxnv.biz
wjtwuyg.ws
wsrgn.com
dzyeosjuov.com
marojdxwn.ws
cbewjjkq.ws
vfbhmkzi.biz
kuwoiwbtj.info
vwtrscta.info
We'll update this list as needed. On 06/01/09 At 06:15 PM
Weiterlesen...
The malware uses server-side polymorphism and ACL modification to make network disinfection particularily difficult. A sign of infection is that user accounts gets locked out in the Active Directory domain as the worm tries to crack user's passwords using a built-in dictionary. When it fails it leads to those accounts being locked.
We have detailed information about the malware functionality in our description.
We also have a separate tool available to assist in disinfecting. The tool is available from here.
We also recommend system administrators to block access to web sites used by the malware. The sites keep changing, but the current domains to block are:
64.70.19.33
gwkizcbfxs.com
aifzigcv.cn
rexvnvu.com
nynhjlgt.cc
jjlpshzv.cn
qjspgc.ws
idmct.cn
tfxrunh.com
jorgp.net
txjon.ws
bqbhosag.net
enukaxdsh.com
uwgpfmbb.cn
siaeow.info
rhhlojswqhg.org
hsmyiodaby.info
vvjwy.info
walbkceo.biz
pwkao.ws
hyenn.cn
bsjhi.cn
ntennetwu.com
snrbfmuu.ws
xorbhjum.cn
vygsszouzy.info
rgfyqus.cc
yurkdgrr.cc
cnpzjcoq.biz
pwokmxqxu.ws
zmtndgbf.cc
botvmepc.com
tidvgkj.net
orfwvrhin.cn
qlidexmcm.cc
ztnzqt.com
facoxfzytdd.net
mupmibyvg.org
bzjcgpgnd.info
xijykokyo.info
jzrjoj.info
lkiafdo.cc
rqphujhgn.biz
omrzgdpqgx.biz
rwrzsnh.cn
iwkell.cc
chbrcojkb.com
nildslfd.com
vnpzbf.net
lyuzbxwumz.net
klziz.cc
rksarzfopo.cc
mcyrr.cc
hmxxvpazpak.org
tdyilbmpti.info
icyjfmsvsnd.cn
mmaytjko.net
tfqexhqw.ws
wvzwin.cn
vuexws.cc
msnbfhu.com
rphrtdy.cc
dszhnt.org
ycimz.cc
poerb.biz
jxxneevy.cc
hejktcix.cc
vsdgrolow.ws
kqzhlbha.info
tmfyu.com
pgrhp.org
ubimwzracj.net
jfrcw.cc
wkheaqv.org
pkxnjnju.cn
sptfgbgn.cc
wrqeib.net
nhhaoraaj.biz
sxfgsrxvhy.info
bezmvgyd.com
nwhdkaymlin.ws
xnyln.net
qrgyu.ws
mcqloqac.info
aszerjb.info
ruhciwyz.org
dehkjdjfgp.biz
nhqfs.biz
xjuokai.cc
sqkjy.cc
cwnozdfdp.org
rjcvhhc.biz
khukycqb.org
xxshfasvxr.org
kqhflzj.net
acucwbuq.biz
jxbou.org
leywv.org
lhakjmpuj.biz
zehbfqi.info
ouclprommf.org
csyotypmr.cc
kzndzkg.com
cvjpvghac.org
jywlngsklz.org
jcgldecm.info
ciliytjvjc.cn
vfiqgacc.info
ucpqawx.biz
oqdlfkjkm.com
zozzjeza.cn
ixpnkncf.cn
vbbiyj.biz
vopqjdg.net
sldjmhdll.org
ufoeaxhh.ws
vuubkeazyw.cc
taeiwxgmg.ws
fcrov.org
urujt.biz
mbdpldx.cn
ruiixxeft.biz
xzarbvm.info
aowdpspvub.ws
kinlrfa.cc
naewfhtc.net
gxbbmw.biz
adglruiu.biz
djlbhgvzx.com
fvtmsxbrxs.net
aypmyrx.info
nuggp.org
aqpbxhtuo.org
yzpvyovrle.net
sqejcjgkslo.biz
buqidpgc.ws
syxdgozz.com
fslvh.net
wamwosbmaw.ws
rozfggavcwd.org
zjwyamwjg.info
rbooqduo.cc
uywkv.info
pyxzpvbj.cn
qogarydes.cc
iwikvf.com
bddsxxnv.biz
wjtwuyg.ws
wsrgn.com
dzyeosjuov.com
marojdxwn.ws
cbewjjkq.ws
vfbhmkzi.biz
kuwoiwbtj.info
vwtrscta.info
We'll update this list as needed. On 06/01/09 At 06:15 PM
Weiterlesen...