Downadup/ Conficker worm versus HIPS

that should be enough...
open SRP console and right click on the empty board space.select new path rule and try something like that.

As someone here likes to say,its not pretty the crap to leave the toilet

 

Wow I didn't even know we had to manually enter Recycler and the TEMP folders to SRP.

Quick question though. Chris' above post covers "recycler" what about the "TEMP" folders Kees mentioned? How do we make SRP cover those as well?

EDIT :

Hold on a sec, before adding "recycler" to the SRP list, I decided to try copying an executable to the folder and see what happened when I tried to run it :

 

Yes,

But be aware that you can have windows update problems, also a lot of installers won't work.

But then again that is exactly what I want, so before updating switch to the admin account or enter secpol.msc and let rules not apply for admin.

I have a test image for instance with
- OA free DUTCH (no pop-up for new programs, remove unknown entries from start up list after re-boot)
- Avast free DUTCH only the standard shield with check at write (and blocker warning for executables, delete, rename, format)

I add this image by setting all receclyer, temp and temp internet files to not alllowed to execute, same as shared directory for P2P, have the mail directory tagged as limited.

With OA free I run all interfacing aps as run safer.


It is a test image and performs pretty decent against threats.

 

Yes, that should be the normal behavior. Adding these folders isn't necessary. If anything can be executed in them with limited rights, something is misconfigured.

 

i know this.tlu is very correct,i just answered a question on how one can do this.
HOWEVER for vista users that have the extra security level "BASIC USER" this way can help them make anti-executable type rules for files,folders e.t.c
which is VERY cool if you consider that it does exactly what kees had in mind e.g run an admin acc without UAC on and have preconfigured which apps will run in LUA without UAC OR the need of dropmyrights e.t.c

 

This report is relevant.

 

Ok, tried it with DW and DW seems to protect against it. Did not check the network part though.



Anyone can try with:

PRSC
Mamutu

Thanks

 

Thank you Aigle for your time and tests, good work

cheers

 

Thanks.

Still interested in PRSC and Mamutu though I think both will be bypassed. I don,t have a licence for them otherwise I must have tested already.

 

our "friend" got evolved now it has a brother that does even more tricks!

http://news.softpedia.com/news/Nast...-7-Vista-SP1-and-XP-SP3-Machines-102798.shtml

 

Ok, I found a GAOD licence for Mamutu that I did not use. It has still 35 days left. Tried it with the worm.

Default settings- Mamutu failed
Paranoid settings- it gave alert about rundll32.exe( on svchost memory modification), blocking this behaviour Mamutu passed.

 

Thanks for that test.

PARANOID MODE is a very worthy setting and adds more S.M.A.R.T monitoring IMHO so this latest results is no surprise.

NASTY WORM INDEED!

EASTER

 

I had a problem with this thing around August or September of last year.
To be a little more correct, I am still dealing with it. Yeah, I allowed the 16.tmp. So now it's run a muck.

Infected:
1. Back up image
2. Micro SD card
3. Micro SD card

I used the infected Micro SD to update the BIOS of a computer. The computer has never been connected to the internet or network.
Will a wipe be sufficient to clear the worm?
When I updated the BIOS could the worm have affected that?

The Back up image alters the CMOS clock after install.
Will the MSRT be sufficient to clean the reinstalled image if there are no extra tools installed?

How do I clean the Micro SD cards and keep my files?
I checked one of the cards and it has 2 partitions. Harddrive1 and Harddrive1 partition 1. I don't know if it is normal for SD cards to have multiple partitions or if this is part of the infection.

 

http://www.f-secure.com/weblog/

One time I'm glad the USA is not number 1

 

Has anyone tested Zemana Anitlogger to see if it will block the worm. I know this program is marketed towards blocking logging malware, but i believe it will stop most other categories of malware as well. Someone please test it!

 

Here it is

http://support.tallemu.com/vbforum/showthread.php?t=6706

 

Thanks.

 

I'm with Chris on this one.Ok the likes of Comodo may give a somewhat generic warning but the fact is if you've merely inserted a thumb drive and something is attempting to run automatically that in itself is highly suspicious and worthy of investigation,regardless of whether or not the warning flags up a sometimes benign action.

 

is enough nod32 updated or the microsoft patch is a must?

 

Did some one test this with sandboxie?

 

Yes...it passes.

 

For what I could see in this thread, no one has tested Outpost Firewall Pro 2009, have you? Sorry if you have and I totally missed. I did a quick look at the thread.

Would anyone be willing to test it?

I'm not using it at the moment and have no virtual machines up.


Thanks.

 

That's a silly question. Of course a patched system is important!


Regards

 

no i mean there is a patch from microsoft
but i can 't get with the regular updates

you should download manually and install it

 

Conflicker to me is of script kiddie making.

Take EQS i use for one example, i simply set a rule to monitor any activations of RunDll32 and even loaded the actual exploit, once the alert came up it was as simple as DENY & TERMINATE the file. Case closed, i cut/pasted it off my System Drive because it's so lame.

I'm sure theres other methods to abort it before it can advance itself besides EQS, but that's all it took and was so stupidly simply.

Theres simply more dangerous malware out there then this ridiculous piece of scriptie fun for them.

EASTER