Interesting reading.

<http://www.f-secure.com/weblog/archives/00001636.html>
-=-

Yes, but it all arrives at the same point: Only journalists are hyping the
April 1st date as something normal folks should watch out for--there's no
need whatsoever. Make sure your machines are clean to the best of your
ability, and sit tight. If something changes, the experts will be able to
spot it.

Nothing ordinary folks, or even normal techies--need worry about at all.


"Ǝиçεl" <(E-Mail Removed)> wrote in message
news:487C1ED5-7779-4E19-B5E5-(E-Mail Removed)...
> Interesting reading.
>
> <http://www.f-secure.com/weblog/archives/00001636.html>
> -=-


--

Bill Sanderson wrote:
> Yes, but it all arrives at the same point: Only journalists are hyping the
> April 1st date as something normal folks should watch out for--there's no
> need whatsoever. Make sure your machines are clean to the best of your
> ability, and sit tight. If something changes, the experts will be able to
> spot it.
>
> Nothing ordinary folks, or even normal techies--need worry about at all.

"Busted! Conficker's tell-tale heart uncovered"

<http://www.theregister.co.uk/2009/03/30/conficker_signature_discovery/>


--
Randy
<http://msmvps.com/blogs/siljaline/default.aspx>

Thanks - that is useful information for anyone with several machines on a
network.

"Randy Knobloch" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Bill Sanderson wrote:
>> Yes, but it all arrives at the same point: Only journalists are hyping
>> the
>> April 1st date as something normal folks should watch out for--there's no
>> need whatsoever. Make sure your machines are clean to the best of your
>> ability, and sit tight. If something changes, the experts will be able
>> to
>> spot it.
>>
>> Nothing ordinary folks, or even normal techies--need worry about at all.
>
> "Busted! Conficker's tell-tale heart uncovered"
>
> <http://www.theregister.co.uk/2009/03/30/conficker_signature_discovery/>
>
>
> --
> Randy
> <http://msmvps.com/blogs/siljaline/default.aspx>
>
>


--

and stay off any web browser on the 1st also
robin

"Bill Sanderson" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Yes, but it all arrives at the same point: Only journalists are hyping
> the April 1st date as something normal folks should watch out for--there's
> no need whatsoever. Make sure your machines are clean to the best of your
> ability, and sit tight. If something changes, the experts will be able to
> spot it.
>
> Nothing ordinary folks, or even normal techies--need worry about at all.
>
>
> "Ǝиçεl" <(E-Mail Removed)> wrote in message
> news:487C1ED5-7779-4E19-B5E5-(E-Mail Removed)...
>> Interesting reading.
>>
>> <http://www.f-secure.com/weblog/archives/00001636.html>
>> -=-
>
>
> --
>
>

So far, I've found one network scanner that I was able to use to scan a
network at work---it is a python script, but a compiled version was
available, so other than working at a command line level, it wasn't hard to
deal with. None of the machines which were turned on at the time were
infected.

Have to try it again during the day.

Google for scs_exe.zip to find it.

Not for the average person yet.

"robinb" <(E-Mail Removed)> wrote in message
news:#(E-Mail Removed)...
> and stay off any web browser on the 1st also
> robin
>
> "Bill Sanderson" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Yes, but it all arrives at the same point: Only journalists are hyping
>> the April 1st date as something normal folks should watch out
>> for--there's no need whatsoever. Make sure your machines are clean to
>> the best of your ability, and sit tight. If something changes, the
>> experts will be able to spot it.
>>
>> Nothing ordinary folks, or even normal techies--need worry about at all.
>>
>>
>> "Ǝиçεl" <(E-Mail Removed)> wrote in message
>> news:487C1ED5-7779-4E19-B5E5-(E-Mail Removed)...
>>> Interesting reading.
>>>
>>> <http://www.f-secure.com/weblog/archives/00001636.html>
>>> -=-
>>
>>
>> --
>>
>>


--

Well here we are Bill April 1 and .......... I can post again! Courtesy IE8.
And to think of all the expletives and nasty things a said about MS - still
don`t see the `sign in` link top right but it seems to be working. The guys
at IE8 NG seem to think it relates to a problem with server hosting this
site. Anyways.

I was reading some of the symptoms associated with Conficker and its
variants. Among other things, these include termination of the BITS - WU/MU,
Security Centre services AND Windows Defender. So that should be a visual
clue for many though not all I grant you. If a multi billion empire like MS
would really like to put a price on the heads of these bad guys $250, 000
seems la bit thin on the ground? Like a drop in the ocean? I also read the
MRT will detect and remove it?

Stu


"Bill Sanderson" wrote:

> So far, I've found one network scanner that I was able to use to scan a
> network at work---it is a python script, but a compiled version was
> available, so other than working at a command line level, it wasn't hard to
> deal with. None of the machines which were turned on at the time were
> infected.
>
> Have to try it again during the day.
>
> Google for scs_exe.zip to find it.
>
> Not for the average person yet.
>
> "robinb" <(E-Mail Removed)> wrote in message
> news:#(E-Mail Removed)...
> > and stay off any web browser on the 1st also
> > robin
> >
> > "Bill Sanderson" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> >> Yes, but it all arrives at the same point: Only journalists are hyping
> >> the April 1st date as something normal folks should watch out
> >> for--there's no need whatsoever. Make sure your machines are clean to
> >> the best of your ability, and sit tight. If something changes, the
> >> experts will be able to spot it.
> >>
> >> Nothing ordinary folks, or even normal techies--need worry about at all.
> >>
> >>
> >> "Ǝиçεl" <(E-Mail Removed)> wrote in message
> >> news:487C1ED5-7779-4E19-B5E5-(E-Mail Removed)...
> >>> Interesting reading.
> >>>
> >>> <http://www.f-secure.com/weblog/archives/00001636.html>
> >>> -=-
> >>
> >>
> >> --
> >>
> >>
>
>
> --
>
>
>

I've seen that information, but also some posts saying that its presence may
not have visible symptoms in some cases. There are detection/removal apps
now from a number of reputable vendors, as well as network scanners from EYE
and others. I've used one of these to scan some of the networks I
administer and not found any sign of infected machines.

I have also heard that the MRT targets conficker, but I can't confirm it--I
did look at the MRT site, but didn't spot conficker by name there. I just
happened to hit the site by happenstance and wasn't actively searching, so I
might have missed it.

So far, I've not seen any public statements of any significance about the
anticipated changes in behavior today--I have seen some anecdotal reports
that don't make a lot of sense. Some of the conjectures I've seen--brute
force password hacking, or perhaps some similar form of distributed
computing type decryption activity--might both be very scary, and hard to
detect--because there wouldn't necessarily be a lot of information transfer
to and from the network machines.


"Stu" <(E-Mail Removed)> wrote in message
news:29E2D326-750C-4CA8-95B4-(E-Mail Removed)...
> Well here we are Bill April 1 and .......... I can post again! Courtesy
> IE8.
> And to think of all the expletives and nasty things a said about MS -
> still
> don`t see the `sign in` link top right but it seems to be working. The
> guys
> at IE8 NG seem to think it relates to a problem with server hosting this
> site. Anyways.
>
> I was reading some of the symptoms associated with Conficker and its
> variants. Among other things, these include termination of the BITS -
> WU/MU,
> Security Centre services AND Windows Defender. So that should be a visual
> clue for many though not all I grant you. If a multi billion empire like
> MS
> would really like to put a price on the heads of these bad guys $250, 000
> seems la bit thin on the ground? Like a drop in the ocean? I also read the
> MRT will detect and remove it?
>
> Stu
>
>
> "Bill Sanderson" wrote:
>
>> So far, I've found one network scanner that I was able to use to scan a
>> network at work---it is a python script, but a compiled version was
>> available, so other than working at a command line level, it wasn't hard
>> to
>> deal with. None of the machines which were turned on at the time were
>> infected.
>>
>> Have to try it again during the day.
>>
>> Google for scs_exe.zip to find it.
>>
>> Not for the average person yet.
>>
>> "robinb" <(E-Mail Removed)> wrote in message
>> news:#(E-Mail Removed)...
>> > and stay off any web browser on the 1st also
>> > robin
>> >
>> > "Bill Sanderson" <(E-Mail Removed)> wrote in message
>> > news:(E-Mail Removed)...
>> >> Yes, but it all arrives at the same point: Only journalists are
>> >> hyping
>> >> the April 1st date as something normal folks should watch out
>> >> for--there's no need whatsoever. Make sure your machines are clean to
>> >> the best of your ability, and sit tight. If something changes, the
>> >> experts will be able to spot it.
>> >>
>> >> Nothing ordinary folks, or even normal techies--need worry about at
>> >> all.
>> >>
>> >>
>> >> "Ǝиçεl" <(E-Mail Removed)> wrote in message
>> >> news:487C1ED5-7779-4E19-B5E5-(E-Mail Removed)...
>> >>> Interesting reading.
>> >>>
>> >>> <http://www.f-secure.com/weblog/archives/00001636.html>
>> >>> -=-
>> >>
>> >>
>> >> --
>> >>
>> >>
>>
>>
>> --
>>
>>
>>


--

Hi Bill and Stu and All IT's

Families Cleaned by the Malicious Software Removal Tool
<http://www.microsoft.com/security/malwareremove/families.mspx>
January 13, 2009

Virus alert about the Win32/Conficker.B worm
<http://support.microsoft.com/kb/962007>
March 6, 2009 -

Protect yourself from the Conficker computer worm
<http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx>
March 27, 2009
-=-



"Bill Sanderson" wrote:

> I've seen that information, but also some posts saying that its presence may
> not have visible symptoms in some cases. There are detection/removal apps
> now from a number of reputable vendors, as well as network scanners from EYE
> and others. I've used one of these to scan some of the networks I
> administer and not found any sign of infected machines.
>
> I have also heard that the MRT targets conficker, but I can't confirm it--I
> did look at the MRT site, but didn't spot conficker by name there. I just
> happened to hit the site by happenstance and wasn't actively searching, so I
> might have missed it.
>
> So far, I've not seen any public statements of any significance about the
> anticipated changes in behavior today--I have seen some anecdotal reports
> that don't make a lot of sense. Some of the conjectures I've seen--brute
> force password hacking, or perhaps some similar form of distributed
> computing type decryption activity--might both be very scary, and hard to
> detect--because there wouldn't necessarily be a lot of information transfer
> to and from the network machines.
>
>
> "Stu" <(E-Mail Removed)> wrote in message
> news:29E2D326-750C-4CA8-95B4-(E-Mail Removed)...
> > Well here we are Bill April 1 and .......... I can post again! Courtesy
> > IE8.
> > And to think of all the expletives and nasty things a said about MS -
> > still
> > don`t see the `sign in` link top right but it seems to be working. The
> > guys
> > at IE8 NG seem to think it relates to a problem with server hosting this
> > site. Anyways.
> >
> > I was reading some of the symptoms associated with Conficker and its
> > variants. Among other things, these include termination of the BITS -
> > WU/MU,
> > Security Centre services AND Windows Defender. So that should be a visual
> > clue for many though not all I grant you. If a multi billion empire like
> > MS
> > would really like to put a price on the heads of these bad guys $250, 000
> > seems la bit thin on the ground? Like a drop in the ocean? I also read the
> > MRT will detect and remove it?
> >
> > Stu
> >
> >
> > "Bill Sanderson" wrote:
> >
> >> So far, I've found one network scanner that I was able to use to scan a
> >> network at work---it is a python script, but a compiled version was
> >> available, so other than working at a command line level, it wasn't hard
> >> to
> >> deal with. None of the machines which were turned on at the time were
> >> infected.
> >>
> >> Have to try it again during the day.
> >>
> >> Google for scs_exe.zip to find it.
> >>
> >> Not for the average person yet.
> >>
> >> "robinb" <(E-Mail Removed)> wrote in message
> >> news:#(E-Mail Removed)...
> >> > and stay off any web browser on the 1st also
> >> > robin
> >> >
> >> > "Bill Sanderson" <(E-Mail Removed)> wrote in message
> >> > news:(E-Mail Removed)...
> >> >> Yes, but it all arrives at the same point: Only journalists are
> >> >> hyping
> >> >> the April 1st date as something normal folks should watch out
> >> >> for--there's no need whatsoever. Make sure your machines are clean to
> >> >> the best of your ability, and sit tight. If something changes, the
> >> >> experts will be able to spot it.
> >> >>
> >> >> Nothing ordinary folks, or even normal techies--need worry about at
> >> >> all.
> >> >>
> >> >>
> >> >> "Ǝиçεl" <(E-Mail Removed)> wrote in message
> >> >> news:487C1ED5-7779-4E19-B5E5-(E-Mail Removed)...
> >> >>> Interesting reading.
> >> >>>
> >> >>> <http://www.f-secure.com/weblog/archives/00001636.html>
> >> >>> -=-
> >> >>
> >> >>
> >> >> --
> >> >>
> >> >>
> >>
> >>
> >> --
> >>
> >>
> >>
>
>
> --
>
>
>

I did read somewhere that Symantec might have speculated the April 1 thing
might have been a `red herring` designed to give a false sense of security
(since nothing appears to have happened) thus leading to a lowering of
defenses while perhaps another variant operates under the radar so to speak.
In view of the publicity it has received I wouldn`t have thought that likely
but on the other hand there are a lot of unsuspecting soles out there as the
degree of infection has shown. I thought this link is a good illustration of
how the Autorun infection works - I like pictures cos they can speak a
thousand words.

http://isc.sans.org/diary.html?storyid=5695

Stu

"Ǝиçεl" wrote:

> Hi Bill and Stu and All IT's
>
> Families Cleaned by the Malicious Software Removal Tool
> <http://www.microsoft.com/security/malwareremove/families.mspx>
> January 13, 2009
>
> Virus alert about the Win32/Conficker.B worm
> <http://support.microsoft.com/kb/962007>
> March 6, 2009 -
>
> Protect yourself from the Conficker computer worm
> <http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx>
> March 27, 2009
> -=-
>
>
>
> "Bill Sanderson" wrote:
>
> > I've seen that information, but also some posts saying that its presence may
> > not have visible symptoms in some cases. There are detection/removal apps
> > now from a number of reputable vendors, as well as network scanners from EYE
> > and others. I've used one of these to scan some of the networks I
> > administer and not found any sign of infected machines.
> >
> > I have also heard that the MRT targets conficker, but I can't confirm it--I
> > did look at the MRT site, but didn't spot conficker by name there. I just
> > happened to hit the site by happenstance and wasn't actively searching, so I
> > might have missed it.
> >
> > So far, I've not seen any public statements of any significance about the
> > anticipated changes in behavior today--I have seen some anecdotal reports
> > that don't make a lot of sense. Some of the conjectures I've seen--brute
> > force password hacking, or perhaps some similar form of distributed
> > computing type decryption activity--might both be very scary, and hard to
> > detect--because there wouldn't necessarily be a lot of information transfer
> > to and from the network machines.
> >
> >
> > "Stu" <(E-Mail Removed)> wrote in message
> > news:29E2D326-750C-4CA8-95B4-(E-Mail Removed)...
> > > Well here we are Bill April 1 and .......... I can post again! Courtesy
> > > IE8.
> > > And to think of all the expletives and nasty things a said about MS -
> > > still
> > > don`t see the `sign in` link top right but it seems to be working. The
> > > guys
> > > at IE8 NG seem to think it relates to a problem with server hosting this
> > > site. Anyways.
> > >
> > > I was reading some of the symptoms associated with Conficker and its
> > > variants. Among other things, these include termination of the BITS -
> > > WU/MU,
> > > Security Centre services AND Windows Defender. So that should be a visual
> > > clue for many though not all I grant you. If a multi billion empire like
> > > MS
> > > would really like to put a price on the heads of these bad guys $250, 000
> > > seems la bit thin on the ground? Like a drop in the ocean? I also read the
> > > MRT will detect and remove it?
> > >
> > > Stu
> > >
> > >
> > > "Bill Sanderson" wrote:
> > >
> > >> So far, I've found one network scanner that I was able to use to scan a
> > >> network at work---it is a python script, but a compiled version was
> > >> available, so other than working at a command line level, it wasn't hard
> > >> to
> > >> deal with. None of the machines which were turned on at the time were
> > >> infected.
> > >>
> > >> Have to try it again during the day.
> > >>
> > >> Google for scs_exe.zip to find it.
> > >>
> > >> Not for the average person yet.
> > >>
> > >> "robinb" <(E-Mail Removed)> wrote in message
> > >> news:#(E-Mail Removed)...
> > >> > and stay off any web browser on the 1st also
> > >> > robin
> > >> >
> > >> > "Bill Sanderson" <(E-Mail Removed)> wrote in message
> > >> > news:(E-Mail Removed)...
> > >> >> Yes, but it all arrives at the same point: Only journalists are
> > >> >> hyping
> > >> >> the April 1st date as something normal folks should watch out
> > >> >> for--there's no need whatsoever. Make sure your machines are clean to
> > >> >> the best of your ability, and sit tight. If something changes, the
> > >> >> experts will be able to spot it.
> > >> >>
> > >> >> Nothing ordinary folks, or even normal techies--need worry about at
> > >> >> all.
> > >> >>
> > >> >>
> > >> >> "Ǝиçεl" <(E-Mail Removed)> wrote in message
> > >> >> news:487C1ED5-7779-4E19-B5E5-(E-Mail Removed)...
> > >> >>> Interesting reading.
> > >> >>>
> > >> >>> <http://www.f-secure.com/weblog/archives/00001636.html>
> > >> >>> -=-
> > >> >>
> > >> >>
> > >> >> --
> > >> >>
> > >> >>
> > >>
> > >>
> > >> --
> > >>
> > >>
> > >>
> >
> >
> > --
> >
> >
> >